On Sat, Sep 03, 2005 at 10:32:45AM -0600, Kevin Pendleton wrote: > Herbert, > > This brings up a question I've been meaning to ask. Somehow in the > newer versions of vserver there was a way to securely allow ping to work > now without adding extra capabilities. Is it possible to do the same > thing with other network troubleshooting utilities like traceroute, > without giving up and allowing icmp_raw?
raw_icmp (sorry for the misinformation) _is_ the "hack" to allow 'secure' ping inside a guest without immediately compromising security ... CAP_NET_RAW is the sledge hammer ... HTH, Herbert > Kevin > > Herbert Poetzl wrote: > > >On Sat, Sep 03, 2005 at 04:37:39PM +0200, Andreas John wrote: > > > > > >>Hello! > >> > >>I frequently use mtr (a traceroute like util). In a guest it says: > >> > >>bastel:/# mtr www.yahoo.de > >>mtr: unable to get raw sockets. > >> > >> > > > >my crystal ball says that you forgot to set > >the icmp_raw context capability ... > > > > > > > >>I assume that it is generally forbidden by context to "get raw > >>sockets" to prevent guests from doing nasty things? Is there a way to > >>allow getting raw sockets? For special programs? > >> > >> > > > >yes, you can add the CAP_NET_RAW capability > >but that automatically allows guest root to > >sniff on other network traffic ... > > > >HTH, > >Herbert > > > > > > > >>rgds, > >>Andreas John > >> > >>_______________________________________________ > >>Vserver mailing list > >>[email protected] > >>http://list.linux-vserver.org/mailman/listinfo/vserver > >> > >> > >_______________________________________________ > >Vserver mailing list > >[email protected] > >http://list.linux-vserver.org/mailman/listinfo/vserver > > > > > > > > > > _______________________________________________ > Vserver mailing list > [email protected] > http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
