On Sat, Mar 17, 2007 at 02:37:39PM +0000, Daniel W. Crompton wrote:
> On 3/17/07, Daniel Hokka Zakrisson <daniel@hozac.com> wrote:
> >>>You absolutely never ever want to do that, if you care the least about
> >>>the
> >>>guest being secure... /dev/mem would give it complete access to the
> >>>contents of your RAM.
> >>Seriously if you care about your guest being secure you make sure that
> >>the host doesn't have physical network access. If you want to be able
> >>to run certain programs in a guest you sometimes need rights which are
> >>available to only the host. That's the whole point of caps.
> >Which should not be taken as lightly as "you just need to create XYZ".
> >It's something that essentially voids the entire virtualization/isolation
> >that Linux-VServer provides...
>
> You are right that I was a little flippant in my remark that one
> should just create /dev/mem, and should have mentioned the security
> implications. My remark did contain reservation you didn't pick-up on.
> "You might just need to create XYZ" carries a very different message
> than "you just need to create XYZ." In this case "might" means that it
> is possible that you would need to do XYZ, I realize that this
> reservation could be missed in a cursory reading.
>
> However that doesn't however negate the fact that to run OCS Agent as
> is in a guest you might just need to create /dev/mem.
you might want to check with the source (of OCS Agent)
what the application actually does with /dev/mem
best,
Herbert
> regards,
>
> D.
>
>
> blaze your trail
>
> --
> redhat
> _______________________________________________
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Sat Mar 17 18:36:00 2007