Herbert,
This brings up a question I've been meaning to ask. Somehow in the
newer versions of vserver there was a way to securely allow ping to work
now without adding extra capabilities. Is it possible to do the same
thing with other network troubleshooting utilities like traceroute,
without giving up and allowing icmp_raw?
Kevin
Herbert Poetzl wrote:
On Sat, Sep 03, 2005 at 04:37:39PM +0200, Andreas John wrote:
Hello!
I frequently use mtr (a traceroute like util). In a guest it says:
bastel:/# mtr www.yahoo.de
mtr: unable to get raw sockets.
my crystal ball says that you forgot to set
the icmp_raw context capability ...
I assume that it is generally forbidden by context to "get raw
sockets" to prevent guests from doing nasty things? Is there a way to
allow getting raw sockets? For special programs?
yes, you can add the CAP_NET_RAW capability
but that automatically allows guest root to
sniff on other network traffic ...
HTH,
Herbert
rgds,
Andreas John
_______________________________________________
Vserver mailing list
[email protected]
http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
[email protected]
http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
[email protected]
http://list.linux-vserver.org/mailman/listinfo/vserver
