re: Re: Announce: many virtual servers on a single box

From: James Sutherland (
Date: Mon Oct 15 2001 - 11:22:43 EST

On Mon, 15 Oct 2001, Jacques Gelinas wrote:
> On Fri, 12 Oct 2001 23:01:04 -0500, Pavel Machek wrote
> > Hi!
> >
> > > -I have also modified the capability system a little, so those virtual server
> > > administrators can't take over the machine. I have introduced a per-process
> > > capability ceiling, inherited by sub-process. Even setuid program can't grab
> > > more capabilities..
> >
> > Really? What hardware do they see in /dev/? Do their servers have for
> > example mouse? What about ethernet cards?
> In /dev they see very little: full log null ptmx pts random tty
> urandom zero
> The do not have CAP_SYS_MKNOD, so they can't create more than you give.
> In fact, the vserver sees whatever you want to give it. So if you intend to run
> X in the vserver, give it the mouse device.

Hmmm - does this work with devfs?

> > [Why I'm asking? I'm trying to find ways to take over the machine. Do
> > you want to give me root on your machine stating that I can't
> > interfere?]
> Indeed, I could give you a root password on a vserver and you would not be
> able to interfere. Sure enough you would be able to grab resource and slow
> down the machine (and potentially work out a DOS attack). We are working
> on the schedular right now to solve those issues.

Have you looked at the "fairsched" patch for this? It seems to be
unmaintained since 2.4.0-testXX, but look close to your needs...

> But there is no need to open a crackme vserver. Install it on your machine,
> build a vserver.

The question, I think, was would YOU give out root access on vservers on
YOUR box, and be confident people wouldn't be able to escape? :-)

> > You might want to announce this on bugtraq. [And give solar designer
> > root account, he might be more creative ;)].
> You don't understand the issue. Anyone can create his own vserver. The
> system call controlling this are very simple. It is not a "try to
> crack my machine" contest. Anyone can create a vserver and test it.

But can you crack your way OUT of the vserver - how confident are you in
the isolation provided?


"Our attitude with TCP/IP is, `Hey, we'll do it, but don't make a big
system, because we can't fix it if it breaks -- nobody can.'"

"TCP/IP is OK if you've got a little informal club, and it doesn't make any difference if it takes a while to fix it." -- Ken Olson, in Digital News, 1988

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to More majordomo info at Please read the FAQ at

This archive was generated by hypermail 2b29 : Mon Oct 15 2001 - 21:00:58 EST