Re: [vserver] quotaing

From: Sam Vilain (sam_at_vilain.net)
Date: Fri Jul 12 2002 - 10:25:41 EDT

• Next message: Sam Vilain: "Re: [vserver] vserver quota support"
• Previous message: Roderick A. Anderson: "[vserver] /vservers on NFS mount?"
• In reply to: Jacques Gelinas: "Re: [vserver] quotaing"
• Next in thread: Jacques Gelinas: "Re: [vserver] quotaing"

Jacques Gelinas <jack_at_solucorp.qc.ca> wrote:

> > Quota works fine if each vserver is mounted on a different LVM share, or
> > loopback filesystem.
> Yes but there is another issue. You may want to limit quota per user in
> a vserver and allow the vserver administrator to handle it. To handle quota
> he needs access to the block device and this opens a security issue.

Is it much of a security issue to give them a /dev entry for their own LVM partition?

I guess the answer is yes, a malicious user could hang the kernel by frigging with the block device themselves.

But if it was there, but they just couldn't open it, they could still call quotactl() on it and quotas would still work. Is this your intention for the new unused CAP_OPENDEV capability?

--
   Sam Vilain, sam_at_vilain.net     WWW: http://sam.vilain.net/
    7D74 2A09 B2D3 C30F F78E      GPG: http://sam.vilain.net/sam.asc
    278A A425 30A9 05B5 2F13
Real Computer Scientists Don't Write Code

• Next message: Sam Vilain: "Re: [vserver] vserver quota support"
• Previous message: Roderick A. Anderson: "[vserver] /vservers on NFS mount?"
• In reply to: Jacques Gelinas: "Re: [vserver] quotaing"
• Next in thread: Jacques Gelinas: "Re: [vserver] quotaing"

This archive was generated by hypermail 2.1.4 : Mon Aug 19 2002 - 12:01:01 EDT