From: Bjoern Steinbrink (admin_at_magicwars.de)
Date: Thu 01 Jul 2004 - 17:26:58 BST
On Do, 2004-07-01 at 17:32, Dennis Roos wrote:
> On 1 Jul 2004 at 17:04, nospam wrote:
>
> > 3. No ping in vserver is possible.
> >
> > ping: icmp open socket: Operation not permitted
> >
> > Following Capabilities are set in vserver3.conf :
> >
> > S_CAPS="CAP_SETPCAP CAP_SYS_ADMIN CAP_NET_BROADCAST CAP_SYS_PACCT
> > CAP_SYS_RAWIO CAP_NET_BROADCAST"
> Add "CAP_NET_RAW" to the S_CAPS... You might have to add a
> source interface to ping/traceroute commands eg: traceroute -i
> eth0:vserver3 192.168.0.1
>
And be aware that your vserver is _very_ insecure. A secure S_CAPS is
empty and most of the time that is also sufficient. Ping is evil and
requires CAP_NET_RAW, but that also allows f.e. sniffing on the
interface and fake packets. There's a ping replacement (poink?) that
does not need CAP_NET_RAW, tracepath also works without it.
The other caps are even worse, why do you need them?
Greetings
Bjoern
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver