On 7/7/06, Herbert Poetzl <[EMAIL PROTECTED]> wrote:
On Wed, Jul 05, 2006 at 01:54:28AM +0000, Daniel W. Crompton wrote:
On 7/4/06, Baltasar Cevc <[EMAIL PROTECTED]> wrote:
On 04.07.2006, at 10:29, Daniel W. Crompton wrote:
<...snipped for brevity...>
Obviously, you are giving the guest full access. Then again setting a
routing on the guest is rather hard without CAP_NET_ADMIN, and as I
well, the real danger here is, inside the guest
(with CAP_NET_ADMIN), root can easily take your
host interface down and render all your guests
unuseable ... so use with caution :)
Is there a way to allow the guest to set routes without giving CAP_NET_ADMIN?
Also my vservers need to be portable over many systems so having too
much host based configuration would make the transfer of a vserver
from one host to another more difficult than sending vserver stop and
start commands to the different hosts.
this could be easily solved with the various startup
and shutdown scripts (pre-pre, pre, post, post-post)
Thanks for the hint, I'll look into this.
On the security I can access the vpn from another unprivileged vserver
on the same host:
<...snipped tcpdump...>
This makes any other vserver I run with or without CAP_NET_ADMIN a
vserver with elevated rights, which mean just adding the tun/tap
device is dangerous. And as tap is meant for the creation of raw
ethernet frames this means, in principal, I would be able to send raw
ethernet data to the remote host, that also means routing data.
you can as well create the tun/tap device as
persistant one on the host (when the guest is
started up) and 'just' use it inside the guest
(in which case you can remove all the caps)
And then set iptables in the host to disallow the other vservers
access to the device?
How secure is that?
no very secure :)
Really, being able to access the remote network from a second vserver
is secure. ;)
Just quickly searching around, my understanding is that you have to
create the tun device on the host (which is what you want from a
security perspective). Afterwards you can assign it to a guest and
OpenVPN should be happy to use that one. However that seems to work
with tap, I assume it won't work using tun as a device.
It should, both tun and tap come from the same module, where tap is
slightly more powerful than tun.
one is layer 3 the other layer 2, except for that
there is no real difference in the 'powerfullness'
Giving layer 2 access to a guest is equivalenty to giving CAP_NET_RAW
access, or am I mistaken?
<...snipped CAP_SYS_MODULE comments...>
<...snipped CAP_MKNOD comments...>
Anybody installing a vpn on their vserver then giving somebody they
can't trust high level access to the vserver has just opened 2
networks for attack. What disturbs me more is the fact that I can
access the vpn from another vserver.
that is the least thing I'd worry about :)
The vserver with CAP_NET_ADMIN is accessable to only me, the other
vserver is not. I worry about these things. ;)
D.
blaze your trail
--
redhat
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
