Re: [Vserver] OCS Inventory

From: Daniel W. Crompton <daniel.crompton_at_gmail.com>
Date: Sat 17 Mar 2007 - 14:37:39 GMT
Message-ID: <c17f91900703170737y538b5ca4v803824b5d4951b9a@mail.gmail.com>

On 3/17/07, Daniel Hokka Zakrisson <daniel@hozac.com> wrote:
>>> You absolutely never ever want to do that, if you care the least about the
>>> guest being secure... /dev/mem would give it complete access to the
>>> contents of your RAM.
>> Seriously if you care about your guest being secure you make sure that
>> the host doesn't have physical network access. If you want to be able
>> to run certain programs in a guest you sometimes need rights which are
>> available to only the host. That's the whole point of caps.
> Which should not be taken as lightly as "you just need to create XYZ".
> It's something that essentially voids the entire virtualization/isolation
> that Linux-VServer provides...

You are right that I was a little flippant in my remark that one
should just create /dev/mem, and should have mentioned the security
implications. My remark did contain reservation you didn't pick-up on.
"You might just need to create XYZ" carries a very different message
than "you just need to create XYZ." In this case "might" means that it
is possible that you would need to do XYZ, I realize that this
reservation could be missed in a cursory reading.

However that doesn't however negate the fact that to run OCS Agent as
is in a guest you might just need to create /dev/mem.

regards,

D.

blaze your trail

--
redhat
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Sat Mar 17 15:02:18 2007
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Sat 17 Mar 2007 - 15:02:26 GMT by hypermail 2.1.8