Re: [vserver] mknod inside vserver (bind error)

From: Herbert Poetzl <herbert_at_13thfloor.at>
Date: Mon 23 Mar 2009 - 21:36:22 GMT
Message-ID: <20090323213622.GA6532@MAIL.13thfloor.at>

On Mon, Mar 23, 2009 at 07:39:15PM +0100, Jarry wrote:
> Hi,
> I want to run chroot-ed bind in vserver. In order to do that,
> I must create a few devices (/chroot/dns/dev/zero and
> /chroot/dns/dev/urandom). But mknod gives me this error:

> mknod: `/chroot/dns/dev/zero': Operation not permitted
> mknod: `/chroot/dns/dev/urandom': Operation not permitted

> Does it mean it is not allowed to do mknod inside vserver?

not by default (i.e. that bcapability is not given
to a secure guest)

> Is there any fix,

as it is intentional, there is no 'fix' to be
expected :)

> or workaround?

many, the simplest and still secure approach is
to create the necessary devices from the host
(either via mknod or simply by copying them into
the guest)

another approach is to setup device mapping
properly to allow certain 'considered secure'
devices to be created inside a guest

yet another (but insecure) approach is to give
the bcapability to create arbitrary device nodes
to the guest

HTH,
Herbert

> Jarry
>
>
> --
> _______________________________________________________________
> This mailbox accepts e-mails only from selected mailing-lists!
> Everything else is considered to be spam and therefore deleted.
Received on Mon Mar 23 21:36:34 2009

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Mon 23 Mar 2009 - 21:36:35 GMT by hypermail 2.1.8