On Fri, Sep 17, 2004 at 10:37:20AM -0400, Gregory (Grisha) Trubetskoy wrote: > > On Fri, 17 Sep 2004, Herbert Poetzl wrote: > > >On Thu, Sep 16, 2004 at 10:29:52PM -0400, Gregory (Grisha) Trubetskoy > >wrote: > >> > >>Is it possible to somehow use mount --bind from within a vserver? > >>(vs1.28). > > > >not in a secure way with the 2.4 stable branch, but it is with recent > >2.6 (vs1.9.x) devel branch ... > > Thanks > > >of course, after adding enough CAPs, everything is possible ... > > We do something like this to allow ping and traceroute - there is an > outside process that reenters the vserver to execute a particular command > with an elevated capability.
ping and traceroute should also work fine with 2.6 devel branch ... without the need for additional CAPs .. > At first look it seems that mount --bind obeys chroot and it should be > safe for us to allow it as well, or is there some apparent security > problem with this? well, namespaces make --bind mounts secure, chroot jails might pose some security issues ... best, Herbert > There is more details on the aforementioned kludge here for those > interested: > > http://www.openvps.org/cvs/viewcvs.cgi/oh-host/ohd/README?rev=1.1&content-type=text/vnd.viewcvs-markup > > Thanks for your help! > > Grisha _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
