openvds-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Openvds-devel] Control Panel for OpenVDS-2

From: Joe Cooper
Subject: Re: [Openvds-devel] Control Panel for OpenVDS-2
Date: Mon, 14 Jan 2002 13:31:52 -0600
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.7) Gecko/20011221 
Dave Cost wrote:


Mind if I ask how?



Please be patient.



Hmmmm...Oh, alright.  Patient I will be.



Again the BSD jail() is actually relying on *capabilities*


offered within


the BSD process system (and the extra entry in the PS struct


that ensures


pass-down of the restrictions from father to child.  This would
be a useful
thing to have;  however...



This is the same way linux works. There's a way of dropping


capabilites to


child processes that prevent even root from getting them back.


Like I said,


root is just another user. Once a capability is dropped,


there's no turning


back.


Proving myself to be a nuisance yet again: How?  Ok, not how does
capabilities go only one way--that I get.  How are you logging in the
virtual root user and creating a running environment within the chroot?
 I know (from my reading up on capabilities in detail over the past few
hours) that if init has been limited in capabilities, then all processes
on the system will be equally limited...so what process are you locking
to your capabilities subset that logs in the new virt-root, and runs all
of her daemons etc. so that they are similarly restricted?



You answer your questions ;-) If you limit a process, all childs will be
limited too with no way back.
Furter, the process can elect to loose a capability for ever and won't be
able to get if back. If you start an "init" process in a virtual, all it's
childs will be limited to the max of the first process.
After studying vserver this morning (Solucorp's solution to this problem), I think I get it. And I like it. And he (Jacques GĂ©linas) has actually solved some of the problems of dedicated virts in amazingly elegant ways--vunify with a sort of 'magic' immutable attribute is just a jaw-dropping thing. I'm going to be playing with the vserver stuff over the next few days...I think it is probably worth considering as a basis for the next OpenVDS. It isn't a whole solution, but it sure is neat. No reason not to leverage existing work (while being wary of its reliance on kernel patches--I'll have to study them to make sure I can maintain those patches on my own in case solucorp bores of maintaining them ;-). I just hope it is more stable than LinuxConf...If so, I'll forgive him for hosing my Sendmail configuration the first time I tried LinuxConf. 
--
Joe Cooper <address@hidden>
http://www.swelltech.com
Web Caching Appliances and Support
reply via email to
[Prev in Thread] Current Thread [Next in Thread]