From: Paul Sladen (vserver_at_paul.sladen.org)
Date: Fri 03 Jan 2003 - 16:59:01 GMT

• Next message: Paul Sladen: "Re: [vserver] RedHat8.0 newvserver install ERROR! --"
• Previous message: Paul Sladen: "Re: [vserver] patches - grsecurity?"
• In reply to: Michael Hilscher: "[vserver] caps und ULIMIT"
• Next in thread: Michael Hilscher: "Re: [vserver] caps und ULIMIT"
• Reply: Michael Hilscher: "Re: [vserver] caps und ULIMIT"

On Fri, 3 Jan 2003, Michael Hilscher wrote:
> I'd like to know if and how its possible to reduce the max used Number
> of kbytes a vserver is allowed to use.

Not at the present. These Limits/Restrictions are not something you can do
on a normal (non-s_context) kernel either.

> i cant find further information about each caps (functions and risks).

  http://www.paul.sladen.org/vserver/faq/#caps

> Can an attacker reach the root Server with those caps:
> S_CAPS="CAP_SYS_RESOURCE CAP_NET_RAW"

`CAP_SYS_RESOURCE':

  Override resource limits. Set resource limits.
  Override quota limits.
  Override reserved space on ext2 filesystem
  NOTE: ext2 honors fsuid when checking for resource overrides, so
    you can override using fsuid too
  Override size restrictions on IPC message queues
  Allow more than 64hz interrupts from the real-time clock
  Override max number of consoles on console allocation
  Override max number of keymaps

Which of the above do you think you need--that is causing you to want to
enable `CAP_SYS_RESOURCE'?

        -Paul

-- 
Nottingham, GB

• Next message: Paul Sladen: "Re: [vserver] RedHat8.0 newvserver install ERROR! --"
• Previous message: Paul Sladen: "Re: [vserver] patches - grsecurity?"
• In reply to: Michael Hilscher: "[vserver] caps und ULIMIT"
• Next in thread: Michael Hilscher: "Re: [vserver] caps und ULIMIT"
• Reply: Michael Hilscher: "Re: [vserver] caps und ULIMIT"