[EMAIL PROTECTED] ("Matthieu Racine") writes:
>> > chbind --ip <my_vserverip> --bcast <my_vserver_broadcast> chroot
>> > ${VSERVERS_ROOT}/${VSERVER_NAME} mount -t nfs
>> > <myNFSserverIP>:/partage/nfs/pro /mnt/pro
>>
>> This 'chroot' makes you vulnerably against attacks from inside
>> of the chroot
> ...
> so :
>
> cp -pf /bin/mount ${VSERVERS_ROOT}/${VSERVER_NAME}/bin/mount && chbind --ip
> blablabla....
Do not forget /lib/libc.so, the other libraries and the locale-data
and ... You have to empty /etc/mtab, too; an attacker could put
data in it which causes overflows.
When the vserver is running already (e.g. 'mount' happens in
post-start), this is not applicable at all because of possible
races.
But I do not see a real reason for the 'chroot'...
Enrico
