On Thu, 8 Jan 2004, Herbert Poetzl wrote:
> recently (end of december last year) somebody posted > a mystic message to one of the german webhosting lists > stating, that vserver is insecure, and that he would > suggest not to use it (no details where given) ... > > it 'seems' that the poster was worried about the > ability to sniff network packets from other vservers > on the same host, when inside a vserver. Could he have been referring to CAP_NET_RAW? I saw a few docs suggesting that it needs to be enabled in order for ping to work. IMHO that's not very good advice, since it allows a vserver user to send all kinds of crap from within vserver to the network. An evil creative mind could come up with some way to jeopardize security/stability with raw net access. The best way to deal with ping (and traceroute) is probably to replace those commands with clients to some kind of a pingd/tracerouted daemon running on the main server that would perform the ping and return the output. Grisha _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
