On Wed, Jan 22, 2003 at 04:52:20PM +0100, [EMAIL PROTECTED] wrote: > i wonder why root inside my vservers can still access block devices? > > i built kernel 2.4.20ctx-16 and vserver-0.22 on debian testing and set up > a virtual server context where sshd runs inside. this works fine. > unfortunately after connecting to my vserver from another machine, root > inside my vserver is still able to access block devices, although it only > has the limited (--secure) set of capabilities described in the reducecap > manpage. so root can do things like 'cat /dev/hda1' or 'cat /dev/random > > /dev/hda1'. since i read that root inside a vserver "can't take over the > machine" or even "can't access block devices" (vserver documentation 2.2), > i wonder why root is able on my machine.
just remove the block devices in /dev within the vservers - not needed. and unless you fiddle with S_CAPS in the conf, root shouldn't be able to create them. Tom
