About this list Date view Thread view Subject view Author view Attachment view

From: Kyle Hayes (khayes_at_quicknet.net)
Date: Fri 26 Oct 2001 - 16:11:56 BST


On Friday 26 October 2001 00:07, Chris Wright wrote:
> * Kyle Hayes (khayes_at_quicknet.net) wrote:
> > It is increasingly possible to do things to the kernel and to the system
> > as a whole through proc interfaces. How can that be controlled?
>
> /proc is a filesystem. since lsm easily controls all access to files
> (and filesystems) this is how you control it. and i'd think it should
> behave like vserver's sysctl interface.

i.e. once set, the process cannot change it?

> > Do the capability sets allow me to control access to the /proc file such
> > that a chrooted vserver "root" user cannot stop IP forwarding for
> > instance? I do not understand all the things that can be controlled via
> > these capability bits, so please bear with my newbie questions :-)
>
> this depends on the /proc entry. it is a combination of file
> permissions and capabilities.

Hmm, sounds like I need to read up on LSM too. Sigh. I was hoping I could
follow this in my spare time :-)

Thanks for the answers.

Best,
Kyle

-- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
MicroTelco Services saves money on every Fax:
- Fax to email (FREE)
- Fax to PSTN based Fax (Up to 95% Savings)
- Fax Broadcasting: Send 100s of faxes to fax machines
and email addresses in the time it takes to send just one!
===========================================================
    So send a fax today and let us know what you think! 
       For more info. visit: www.internetfaxjack.com
===========================================================


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 06 Nov 2002 - 07:03:38 GMT by hypermail 2.1.3