Re: [Openvds-devel] Control Panel for OpenVDS-2

[Joe Cooper]

Dave Cost wrote:


> > The only thing I saw in the BSD jail() was locking all communications to a
> > specific IP address;  currently the default BIND in VSD is the
> > hosting-servers's IP address, and secondly, there's no checking against
> > binding against 0.0.0.0  (ie, everyone else's IP too).
>
> This will be addressed in OpenVDS-2. You'll only be able to bind the virtual
> address even if you bind 0.0.0.0, in fact this is a major feature that will
> allow us to safely install servers with general-purpose configuration file,
> exactly by binding 0.0.0.0 ;-)


Mind if I ask how?


> > Again the BSD jail() is actually relying on *capabilities* offered within
> > the BSD process system (and the extra entry in the PS struct that ensures
> > pass-down of the restrictions from father to child.  This would
> > be a useful
> > thing to have;  however...
>
> This is the same way linux works. There's a way of dropping capabilites to
> child processes that prevent even root from getting them back. Like I said,
> root is just another user. Once a capability is dropped, there's no turning
> back.

Proving myself to be a nuisance yet again: How?  Ok, not how does 
capabilities go only one way--that I get.  How are you logging in the 
virtual root user and creating a running environment within the chroot? 
 I know (from my reading up on capabilities in detail over the past few 
hours) that if init has been limited in capabilities, then all processes 
on the system will be equally limited...so what process are you locking 
to your capabilities subset that logs in the new virt-root, and runs all 
of her daemons etc. so that they are similarly restricted?
--
Joe Cooper <address@hidden>
http://www.swelltech.com
Web Caching Appliances and Support