Re: [Openvds-devel] Control Panel for OpenVDS-2

[Wim Godden]

> Right. But, when using capabilities root is just another uid. It's no
> different than any other user, except that it has all the capabilities,
> while a regular user has none.
> What we'll do is loose some capabilities before becoming a virtual root. For
> example we'll loose the capabilities to mess up with the network intefaces,
> the capability to insert modules in the kernel and all the other dangerous
> things.

Then you'll have to take away quite a lot of capabilities... and remember that
if chroot is exploited, all your boxing-in won't help anymore... that's why I
believe this solution is not exactly the most secure...