On Mon, Jan 16, 2012 at 10:06:19AM +1100, Steve Kieu wrote:
> Hello everyone,
> I know I can ssh in the host and run tcpdump but I do not want to.
> So I need it from the vserver instance.
> From
> http://linux-vserver.org/Capabilities_and_Flags
> I think I can do
> echo "NET_RAW" >> /etc/vservers/myserver/bcapabilities
> I could not see anything more serious security problems when
> adding this (not like NET_ADMIN) but I am not expert at all.
well, this bcapability allows the guest to use RAW
(and PACKET) sockets, which means that it will be
able to do the following:
- listen to any packet transmitted on the available
interfaces (that's what tcpdump does)
- forge any packet (i.e. make it look like it came
from somewhere else)
- create llc_ui and hci sockets (bluetooth)
> Any comment, suggestions, idea please?
if you know the implications and you are okay with
that, then it's perfectly fine to give that capability,
just don't expect that it is secure for a potentially
hostile environment
best,
Herbert
> kind regards,
> --
> Steve Kieu
Received on Tue Jan 17 04:13:44 2012