Re: [Vserver] security implications of having /dev/mem in a guest

From: Herbert Poetzl <>
Date: Tue 14 Mar 2006 - 13:08:05 GMT
Message-ID: <>

On Tue, Mar 14, 2006 at 11:03:09AM +1100, Tony Lewis wrote:
> I installed a muck-around vserver guest as an Ubuntu desktop (though
> never finished setting it up to log in remotely). Doing an upgrade now
> wants to run dmidecode as part of the postinstall. This wants access to
> /dev/mem, which of course doesn't exist in the guest. Plus to be useful
> I guess I'll have to grant the SYS_RAWIO capability to the guest too?
> What are the security implications of having /dev/mem plus RAWIO
> capabilities in a guest? My armchair guess is that a root process in
> the guest would have read (and write?) access to the entire memory space.

yep, your armchair guess is correct ...

plus it will be allowed to mess with certain hardware


> Tony Lewis
> _______________________________________________
> Vserver mailing list
Vserver mailing list
Received on Tue Mar 14 13:08:55 2006

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Tue 14 Mar 2006 - 13:08:59 GMT by hypermail 2.1.8