[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Openvds-devel] Control Panel for OpenVDS-2
From: |
Dave Cost |
Subject: |
RE: [Openvds-devel] Control Panel for OpenVDS-2 |
Date: |
Mon, 14 Jan 2002 15:17:57 -0800 |
> You'll have to have some *tight* capabilites; consider that:
>
> a) root can create a hard link to inode zero (jail busted).
>
> b) do anything they want with /proc/kcore (*whatever* to *whoever*).
Could you please provide pointers to some working exploits so I can run some
tests?
> The only thing I saw in the BSD jail() was locking all communications to a
> specific IP address; currently the default BIND in VSD is the
> hosting-servers's IP address, and secondly, there's no checking against
> binding against 0.0.0.0 (ie, everyone else's IP too).
This will be addressed in OpenVDS-2. You'll only be able to bind the virtual
address even if you bind 0.0.0.0, in fact this is a major feature that will
allow us to safely install servers with general-purpose configuration file,
exactly by binding 0.0.0.0 ;-)
> Again the BSD jail() is actually relying on *capabilities* offered within
> the BSD process system (and the extra entry in the PS struct that ensures
> pass-down of the restrictions from father to child. This would
> be a useful
> thing to have; however...
This is the same way linux works. There's a way of dropping capabilites to
child processes that prevent even root from getting them back. Like I said,
root is just another user. Once a capability is dropped, there's no turning
back.
Dave.
- Re: [Openvds-devel] Control Panel for OpenVDS-2, (continued)
- Re: [Openvds-devel] Control Panel for OpenVDS-2, Joe Cooper, 2002/01/14
- RE: [Openvds-devel] Control Panel for OpenVDS-2, Dave Cost, 2002/01/14
- Re: [Openvds-devel] Control Panel for OpenVDS-2, Joe Cooper, 2002/01/14
- RE: [Openvds-devel] Control Panel for OpenVDS-2, Dave Cost, 2002/01/14
- Re: [Openvds-devel] Control Panel for OpenVDS-2, Joe Cooper, 2002/01/14
- Re: [Openvds-devel] Control Panel for OpenVDS-2, Wim Godden, 2002/01/14
- RE: [Openvds-devel] Control Panel for OpenVDS-2, Dave Cost, 2002/01/14
- Re: [Openvds-devel] Control Panel for OpenVDS-2, Wim Godden, 2002/01/14
- Re: [Openvds-devel] Control Panel for OpenVDS-2, Joe Cooper, 2002/01/14
- Re: [Openvds-devel] Control Panel for OpenVDS-2, Paul Sladen, 2002/01/14
- RE: [Openvds-devel] Control Panel for OpenVDS-2,
Dave Cost <=
- Re: [Openvds-devel] Control Panel for OpenVDS-2, Joe Cooper, 2002/01/14
- RE: [Openvds-devel] Control Panel for OpenVDS-2, Dave Cost, 2002/01/14
- Re: [Openvds-devel] Control Panel for OpenVDS-2, Joe Cooper, 2002/01/14
- RE: [Openvds-devel] Control Panel for OpenVDS-2, Dave Cost, 2002/01/14
- RE: [Openvds-devel] Control Panel for OpenVDS-2, Paul Sladen, 2002/01/14
- RE: [Openvds-devel] Control Panel for OpenVDS-2, Dave Cost, 2002/01/14