Re: [Vserver] security implications of having /dev/mem in a guest

From: Herbert Poetzl <herbert_at_13thfloor.at>
Date: Tue 14 Mar 2006 - 13:08:05 GMT
Message-ID: <20060314130805.GB21506@MAIL.13thfloor.at>

On Tue, Mar 14, 2006 at 11:03:09AM +1100, Tony Lewis wrote:
> I installed a muck-around vserver guest as an Ubuntu desktop (though
> never finished setting it up to log in remotely). Doing an upgrade now
> wants to run dmidecode as part of the postinstall. This wants access to
> /dev/mem, which of course doesn't exist in the guest. Plus to be useful
> I guess I'll have to grant the SYS_RAWIO capability to the guest too?
>
> What are the security implications of having /dev/mem plus RAWIO
> capabilities in a guest? My armchair guess is that a root process in
> the guest would have read (and write?) access to the entire memory space.

yep, your armchair guess is correct ...

plus it will be allowed to mess with certain hardware

best,
Herbert

> Tony Lewis
>
> _______________________________________________
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Tue Mar 14 13:08:55 2006

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Tue 14 Mar 2006 - 13:08:59 GMT by hypermail 2.1.8