RE: [Openvds-devel] Control Panel for OpenVDS-2

[Dave Cost]

> Mind if I ask how?

Please be patient.

> >>Again the BSD jail() is actually relying on *capabilities*
> offered within
> >>the BSD process system (and the extra entry in the PS struct
> that ensures
> >>pass-down of the restrictions from father to child.  This would
> >>be a useful
> >>thing to have;  however...
> >>
> >
> > This is the same way linux works. There's a way of dropping
> capabilites to
> > child processes that prevent even root from getting them back.
> Like I said,
> > root is just another user. Once a capability is dropped,
> there's no turning
> > back.
>
> Proving myself to be a nuisance yet again: How?  Ok, not how does
> capabilities go only one way--that I get.  How are you logging in the
> virtual root user and creating a running environment within the chroot?
>   I know (from my reading up on capabilities in detail over the past few
> hours) that if init has been limited in capabilities, then all processes
> on the system will be equally limited...so what process are you locking
> to your capabilities subset that logs in the new virt-root, and runs all
> of her daemons etc. so that they are similarly restricted?

You answer your questions ;-) If you limit a process, all childs will be
limited too with no way back.
Furter, the process can elect to loose a capability for ever and won't be
able to get if back. If you start an "init" process in a virtual, all it's
childs will be limited to the max of the first process.

Dave.