Re: [vserver] tcpdump inside vsever, recommendation

From: Herbert Poetzl <herbert_at_13thfloor.at>
Date: Tue 17 Jan 2012 - 04:13:30 GMT
Message-ID: <20120117041330.GE22455@MAIL.13thfloor.at>

On Mon, Jan 16, 2012 at 10:06:19AM +1100, Steve Kieu wrote:
> Hello everyone,

> I know I can ssh in the host and run tcpdump but I do not want to.
> So I need it from the vserver instance.

> From

> http://linux-vserver.org/Capabilities_and_Flags

> I think I can do

> echo "NET_RAW" >> /etc/vservers/myserver/bcapabilities

> I could not see anything more serious security problems when
> adding this (not like NET_ADMIN) but I am not expert at all.

well, this bcapability allows the guest to use RAW
(and PACKET) sockets, which means that it will be
able to do the following:

 - listen to any packet transmitted on the available
   interfaces (that's what tcpdump does)

 - forge any packet (i.e. make it look like it came
   from somewhere else)

 - create llc_ui and hci sockets (bluetooth)

> Any comment, suggestions, idea please?

if you know the implications and you are okay with
that, then it's perfectly fine to give that capability,
just don't expect that it is secure for a potentially
hostile environment

best,
Herbert

> kind regards,

> --
> Steve Kieu
Received on Tue Jan 17 04:13:44 2012

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Tue 17 Jan 2012 - 04:13:46 GMT by hypermail 2.1.8