From: Sam Vilain (sam_at_vilain.net)
Date: Mon 25 Nov 2002 - 12:19:08 GMT
On Saturday 23 November 2002 14:32, Herbert Poetzl wrote:
> CAP_SYS_ADMIN is currently sufficient for complete
> quota control, CAP_QUOTACTL enables root in a virtual
> server to maintain the user quotas.
How did you get around allowing the virtual server that is running the
commands access to the disk device that the partition resides on?
It's undesirable to allow root on a vserver to be able to open a block device
directly (amplus nucleus violatus), which must be provided for some of the
ioctl() commands required by quota commands.
The only sensible work-around involves userland passing of quota admin
operations from one context to another, eg via an ssh forced command.
Sam.