OpenVZ Forum: Support

Home » General » Support » nscd on VE

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

Re: nscd on VE [message #26830 is a reply to message #26494]

Sat, 02 February 2008 13:25

maratrus
Messages: 1495
Registered: August 2007
Location: Moscow

Senior Member

Hi,

I'm very sorry for delay.

As we can see from strace output setuid and setgid capabilities are not sufficient. We need also CAP_AUDIT_WRITE.

From src/include/linux/capability.h (openvz kernel tree) inside VE we should to set SETVEID capability and "man vzctl" allows us to do this. I tried this but suddenly found that this capability was not actually set. The reason is in kernel's do_env_create() function which is called when we start our VPS. It displaces setveid capability otherwise this VPS becomes the serious hole in security.

So I can suggest you two ways:
1. If it is possible you can use the elder version of nscd. I noticed that it doesn't try to set this capabilities. (I experimented with VPS based on Fedora 4 ).
2. You can compile nscd by yourself. We easily can find the relevant piece of code and can try to comment unnecessary string.

Report message to a moderator

[Message index]

		nscd on VE By: edel on Sat, 19 January 2008 03:17
		Re: nscd on VE By: edel on Fri, 25 January 2008 05:16
		Re: nscd on VE By: maratrus on Sat, 02 February 2008 13:25
		Re: nscd on VE By: edel on Sat, 02 February 2008 23:59

Previous Topic:	Inject in PHP? Bug? Help-me!
Next Topic:	Samba cifs client in VE's

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Fri Jan 23 18:56:27 GMT 2026

Total time taken to generate the page: 0.31276 seconds