About this list Date view Thread view Subject view Author view Attachment view

From: edward_at_paradigm4.com.au
Date: Tue 22 Jan 2002 - 00:56:24 GMT


On Monday, 21 January 2002 at 16:11, Jacques Gelinas wrote:

>
> I agree. I have modified the patch this way
>
> if (!capable(CAP_SYS_ADMIN)) return -EPERM;
>
> vservers do not have this capability by default and some people may want
> to do some special jobs in vservers. It sounds a little more general than
> just relying on the security context.

Yep, it's generic enough and good enough for me but it will
alter the existing default behaviour of the kernel in context 0

Under stock kernel, non-root users are allowed read access to kernel messages.
Not necessarily a good thing, if you ask me, but that's a question of whether
you want to maintain 100% compatibility by default.

How about

         if (!capable(CAP_SYS_ADMIN)&&current->s_context!=0) return -EPERM;

> > Below is a simple "fix".
> > dmesg and klogd under vserver will fail.
> >
> > --- linux-2.4.17/kernel/printk.c.orig Sat Dec 22 04:42:04 2001
> > +++ linux-2.4.17/kernel/printk.c Mon Jan 21 22:06:13 2002
> > @@ -168,6 +168,8 @@
> > char c;
> > int error = 0;
> >
> > + if(current->s_context!=0) return -EPERM;
> > +
> > switch (type) {
> > case 0: /* Close log */
> > break;
> >

> I think that /proc is far too complex and too open (any module may add its own trick
> in it). We would have to review it on a regular basis :-(

Well, any kernel module can do anything it wants to, including overriding
all syscalls and replacing linux with something else.
And yes, a badly written module may leave some way to exploit code in kernel space
via /proc or sysctl. But then again, it may have holes in its other user interfaces either.

> I want to write a new proc fs called vproc. It would simply be a stripped down
> proc containing the processes and few other entries in proc. This way, we will
> have the stuff needed by vservers and this will be enough.

Yes, the lightweight version of proc fs like in BSD is long overdue.

You may also want to look at restricting the sysctl interface.
I didn't have a chance to go through it yet but it's on the waiting list.

Ed


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 06 Nov 2002 - 07:03:38 GMT by hypermail 2.1.3