Hello, i wonder why root inside my vservers can still access block devices?
i built kernel 2.4.20ctx-16 and vserver-0.22 on debian testing and set up a virtual server context where sshd runs inside. this works fine. unfortunately after connecting to my vserver from another machine, root inside my vserver is still able to access block devices, although it only has the limited (--secure) set of capabilities described in the reducecap manpage. so root can do things like 'cat /dev/hda1' or 'cat /dev/random > /dev/hda1'. since i read that root inside a vserver "can't take over the machine" or even "can't access block devices" (vserver documentation 2.2), i wonder why root is able on my machine. okay i thought i did something wrong and installed the precompiled kernel and binaries from solucorp and set up another vserver. i didn't enter any capabilities at the S_CAPS parameter, but after entering the vserver context root can still access block devices. can anyone tell me what i did wrong or what else i can try? thanks a lot, Rico Hauke
