Re: [vserver] Vserver and localhost sniffing

From: Daniel Hokka Zakrisson <daniel_at_hozac.com>
Date: Sat 01 Mar 2008 - 23:11:41 GMT
Message-ID: <36939.192.168.101.12.1204413101.squirrel@intranet>

Ed W wrote:
> Daniel Hokka Zakrisson wrote:
>> Alejandro Cabrera wrote:
>>
>>> <snip previous messages due to formatting>
>>> Just CAP_NET_RAW capability ??? Or in group with CAP_NET_ADMIN
>>> capability
>>> ???
>>>
>>
>> CAP_NET_RAW is what governs raw sockets. If you give a guest that, it
>> will
>> be able to able sniff/generate traffic as it sees fit.
>>
>
> So to be clear - this is *off* by default right?

Yes, of course.

> How do I check the caps that a running instance actually *has*?

cat /proc/virtual/<xid>/status
http://linux-vserver.org/Capabilities_and_Flags

With util-vserver 0.30.215+, vattribute --get --xid <guest> and nattribute
--get --nid <guest> are supposed to do that for you.

>> CAP_NET_ADMIN "only" lets the guest do network setup, such as
>> configuring
>> interfaces, routes, etc.
>
> But couldn't this be used to bring up an interface with the same IP (or
> at least netmask) as a running vserver?

That interface would already be up. It doesn't allow the guest to modify
the list of addresses assigned to the context, so if it doesn't _also_
have CAP_NET_RAW, bringing up another interface wouldn't change anything.

> Eg consider using 127.0.x/24
> netmasks for each verser, couldn't rogue vserver 2 with tap into
> 127.0.1.y which we meant to assign only for use with vserver 1? This
> would at least allow them to talk to (eg) the mysql instance that we
> were running on 127.0.1.1/24 with an expectation of it being private to
> that vhost?

That would already be possible, unless you have iptables rules forbidding
that traffic... (Except on Linux-VServer 2.3, where 127.0.0.0/8 is
rewritten to the lback IP address.)

> Just checking?
>
> Ed W
>
>

-- 
Daniel Hokka Zakrisson
Received on Sat Mar 1 23:19:04 2008
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Sat 01 Mar 2008 - 23:19:16 GMT by hypermail 2.1.8