Re: [vserver] access block devices

Wed, 22 Jan 2003 09:11:47 -0800 

Hi!

[EMAIL PROTECTED] wrote:

Hello,

i wonder why root inside my vservers can still access block devices?

i built kernel 2.4.20ctx-16 and vserver-0.22 on debian testing and set up
a virtual server context where sshd runs inside. this works fine.
unfortunately after connecting to my vserver from another machine, root
inside my vserver is still able to access block devices, although it only
has the limited (--secure) set of capabilities described in the reducecap
manpage. so root can do things like 'cat /dev/hda1' or 'cat /dev/random >
/dev/hda1'. since i read that root inside a vserver "can't take over the
machine" or even "can't access block devices" (vserver documentation 2.2),
i wonder why root is able on my machine.
This is because you didn't follow vserver's "conventions". Vserver's /dev must have a minimal number of entries. I have these:
cheetah:/dev# ls -la
total 8
drwxr-xr-x 3 root root 4096 Jan 8 05:48 .
drwxr-xr-x 20 root root 4096 Nov 20 09:10 ..
-rw------- 1 root root 0 Mar 21 2002 .devfsd
lrwxrwxrwx 1 root root 13 Aug 17 02:06 MAKEDEV -> /sbin/MAKEDEV
lrwxrwxrwx 1 root root 11 Nov 20 04:07 core -> /proc/kcore
crw--w--w- 1 root root 1, 7 Aug 17 02:06 full
prw------- 1 root root 0 Aug 17 02:06 initctl
srw-rw-rw- 1 root root 0 Jan 8 05:48 log
crw-rw-rw- 1 root root 1, 3 Aug 17 02:06 null
crw-rw-rw- 1 root root 5, 2 Aug 17 02:06 ptmx
drwxr-xr-x 2 root root 0 Jan 8 05:48 pts
lrwxrwxrwx 1 root root 4 Nov 20 04:07 ram -> ram1
crw-r--r-- 1 root root 1, 8 Aug 17 02:06 random
srw------- 1 root root 0 Aug 17 02:06 reboot
crw-rw-rw- 1 root root 5, 0 Aug 17 02:06 tty
crw-r--r-- 1 root root 1, 9 Nov 21 14:06 urandom
prw-r----- 1 root adm 0 Jan 22 06:30 xconsole
crw-rw-rw- 1 root root 1, 5 Aug 17 02:06 zero
cheetah:/dev#

Some of them are created when the vserver starts (initctl, for instance).

Check the vserver script and see what /dev entries the script wnats to create ;)

Regards,
Nuno Silva







okay i thought i did something wrong and installed the precompiled kernel
and binaries from solucorp and set up another vserver. i didn't enter any
capabilities at the S_CAPS parameter, but after entering the vserver
context root can still access block devices.

can anyone tell me what i did wrong or what else i can try?

thanks a lot,
Rico Hauke



























					Reply via email to