Daniel Hokka Zakrisson wrote:
> Alejandro Cabrera wrote:
>
>> <snip previous messages due to formatting>
>> Just CAP_NET_RAW capability ??? Or in group with CAP_NET_ADMIN capability
>> ???
>>
>
> CAP_NET_RAW is what governs raw sockets. If you give a guest that, it will
> be able to able sniff/generate traffic as it sees fit.
>
So to be clear - this is *off* by default right?
How do I check the caps that a running instance actually *has*?
> CAP_NET_ADMIN "only" lets the guest do network setup, such as configuring
> interfaces, routes, etc.
But couldn't this be used to bring up an interface with the same IP (or
at least netmask) as a running vserver? Eg consider using 127.0.x/24
netmasks for each verser, couldn't rogue vserver 2 with tap into
127.0.1.y which we meant to assign only for use with vserver 1? This
would at least allow them to talk to (eg) the mysql instance that we
were running on 127.0.1.1/24 with an expectation of it being private to
that vhost?
Just checking?
Ed W
Received on Sat Mar 1 22:39:03 2008