RE: [Openvds-devel] Control Panel for OpenVDS-2

[Dave Cost]

> You'll have to have some *tight* capabilites;  consider that:
>
>   a) root can create a hard link to inode zero (jail busted).
>
>   b) do anything they want with /proc/kcore (*whatever* to *whoever*).

Could you please provide pointers to some working exploits so I can run some
tests?

> The only thing I saw in the BSD jail() was locking all communications to a
> specific IP address;  currently the default BIND in VSD is the
> hosting-servers's IP address, and secondly, there's no checking against
> binding against 0.0.0.0  (ie, everyone else's IP too).

This will be addressed in OpenVDS-2. You'll only be able to bind the virtual
address even if you bind 0.0.0.0, in fact this is a major feature that will
allow us to safely install servers with general-purpose configuration file,
exactly by binding 0.0.0.0 ;-)

> Again the BSD jail() is actually relying on *capabilities* offered within
> the BSD process system (and the extra entry in the PS struct that ensures
> pass-down of the restrictions from father to child.  This would
> be a useful
> thing to have;  however...

This is the same way linux works. There's a way of dropping capabilites to
child processes that prevent even root from getting them back. Like I said,
root is just another user. Once a capability is dropped, there's no turning
back.

Dave.