From: Paul Sladen (vserver_at_paul.sladen.org)
Date: Sat 04 Jan 2003 - 01:24:29 GMT
On Sat, 4 Jan 2003, Michael Hilscher wrote:
> On Fri, Jan 03, 2003 at 04:59:01PM +0000, Paul Sladen wrote:
> > `CAP_SYS_RESOURCE':
> > Override resource limits. Set resource limits.
> > Which of the above do you think you need?
> Bind: http://www.solucorp.qc.ca/howto.hc?projet=vserver&id=72
Read: (including my roath for ISC Bind9 coders)
http://www.paul.sladen.org/vserver/faq/#bind9
Synopsis: Compile with `--disable-linux-caps' and don't use `-u' with
threads enabled.
> i'm also not sure about the Risks of: CAP_NET_RAW capability
> Why is that cap deactivated in default?
So people have the ability to send ICMP Ping packets.
> * Allow use of RAW sockets
> * Allow use of PACKET sockets
At the moment the paranoid risk is sniffing plaintext from other vserver
throught the loopback. People could potentionally use the machine as a DoS
source by sending lots of spoofed packets.
The former they could do on unswitched ethernet; the latter they could do
on a Dedicated server anyway.
-Paul
-- Nottingham, GB