Package: linux-2.6 Version: 2.6.18.dfsg.1-12 Severity: important Tags: patch
The VXC_BINARY_MOUNT capability should be sufficient to mount network filesystems, but its not. Due to this bug, users currently must grant a vserver SYS_ADMIN capabilities in order to mount network filesystems. Though this works, SYS_ADMIN also gives the vserver a hell of a lot of other privileges as well (turn swap off & on, configure md, access to nvram, etc). See http://linux-vserver.org/Capabilities_and_Flags for the full list. This patch from upstream fixes the issue. diff -NurpP --minimal linux-2.6.18.5-vs2.0.2.2-rc9/fs/super.c linux-2.6.18.5-vs2.0.3-rc1/fs/super.c --- linux-2.6.18.5-vs2.0.2.2-rc9/fs/super.c 2006-09-20 17:59:47 +0200 +++ linux-2.6.18.5-vs2.0.3-rc1/fs/super.c 2006-12-13 23:06:16 +0100 @@ -848,7 +848,7 @@ vfs_kern_mount(struct file_system_type * sb = mnt->mnt_sb; error = -EPERM; - if (!capable(CAP_SYS_ADMIN) && !sb->s_bdev && + if (!vx_capable(CAP_SYS_ADMIN, VXC_BINARY_MOUNT) && !sb->s_bdev && (sb->s_magic != PROC_SUPER_MAGIC) && (sb->s_magic != DEVPTS_SUPER_MAGIC)) goto out_sb; -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: ia64 Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-4-itanium Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]