Re: [Openvds-devel] Control Panel for OpenVDS-2

openvds-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Openvds-devel] Control Panel for OpenVDS-2

From:	Paul Sladen
Subject:	Re: [Openvds-devel] Control Panel for OpenVDS-2
Date:	Mon, 14 Jan 2002 13:52:27 +0000 (GMT)

On Mon, 14 Jan 2002, Wim Godden wrote:
>
> Isn't that a bit risky ? If those users will be root (even if chrooted), they
> will run processes as root as well, right ?

You'll have to have some *tight* capabilites;  consider that:

  a) root can create a hard link to inode zero (jail busted).

  b) do anything they want with /proc/kcore (*whatever* to *whoever*).

The only thing I saw in the BSD jail() was locking all communications to a
specific IP address;  currently the default BIND in VSD is the
hosting-servers's IP address, and secondly, there's no checking against
binding against 0.0.0.0  (ie, everyone else's IP too).

Again the BSD jail() is actually relying on *capabilities* offered within
the BSD process system (and the extra entry in the PS struct that ensures
pass-down of the restrictions from father to child.  This would be a useful
thing to have;  however...

        -Paul

[Prev in Thread]

Current Thread

[Next in Thread]

RE: [Openvds-devel] Control Panel for OpenVDS-2, (continued)

Prev by Date: Re: [Openvds-devel] Control Panel for OpenVDS-2
Next by Date: Re: [Openvds-devel] Control Panel for OpenVDS-2
Previous by thread: Re: [Openvds-devel] Control Panel for OpenVDS-2
Next by thread: RE: [Openvds-devel] Control Panel for OpenVDS-2
Index(es):
- Date
- Thread