Re: [Vserver] bind9 in vserver

From: Georges Toth <georges_at_norm.lu>
Date: Sun 11 Jun 2006 - 21:20:37 BST
Message-Id: <200606112220.38342.georges@norm.lu>

> I'd like to know what is the security problem with CAP_SYS_RESSOURCE ?
> Herbert said
> "Currently the following Linux Capabilities are considered secure, if
> you add others to them, you will probably open some security hole."
>
> but what is the problem with override resource limits, quota, reserved
> space on fs, ...? DOS on another vserver using the whole ressources ?
>
> what else ?

I'm sure some other people on this list can explain that a lot better than I
can.
The great thing about vserver is besides the stuff you surely know, that it
restricts access to the host system a lot.
So only basic stuff is allowed.

If you need quota...which is safe AFAIK, you have to add that cap....etc...
(and use vroot).

The problem with that sys-ressource cap is IIRC that it gives too much access
rights to the guest. Which in turn _may_ lead to a host take over ... correct
me if I'm wrong..

The bind problem is that with the default installation, it tries to raise its
caps on runtime. And that is bad, and by default disabled for a
vserver-guest.

I run several name servers as guests, and have compiled bind with
caps-disabled, and it works great.
So either use the dev version of vserver (as suggested) or recompile bind.

Hope this helps :-)

-- 
regards,
Georges Toth
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Sun Jun 11 21:22:25 2006
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Sun 11 Jun 2006 - 21:22:30 BST by hypermail 2.1.8