On Thu, Jan 08, 2004 at 06:24:49PM -0500, Gregory (Grisha) Trubetskoy wrote: > > > On Thu, 8 Jan 2004, Herbert Poetzl wrote: > > > recently (end of december last year) somebody posted > > a mystic message to one of the german webhosting lists > > stating, that vserver is insecure, and that he would > > suggest not to use it (no details where given) ... > > > > it 'seems' that the poster was worried about the > > ability to sniff network packets from other vservers > > on the same host, when inside a vserver. > > Could he have been referring to CAP_NET_RAW? I saw a few docs suggesting
probably ... > that it needs to be enabled in order for ping to work. IMHO that's not > very good advice, since it allows a vserver user to send all kinds of crap > from within vserver to the network. An evil creative mind could come up > with some way to jeopardize security/stability with raw net access. well, nobody concerned with security, would enable something named 'CAP_NET_RAW' without making sure that this doesn't weaken the security, right? > The best way to deal with ping (and traceroute) is probably to replace > those commands with clients to some kind of a pingd/tracerouted daemon > running on the main server that would perform the ping and return the > output. some tools (traceroute or tracepath) make use of udp instead of icmp, which is no big deal in a vserver, only ping 'requires' the insecure icmp/raw access ... HTH, Herbert > Grisha > _______________________________________________ > Vserver mailing list > [EMAIL PROTECTED] > http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
