vserver development mailing list: Re: [vserver] Some software seems to be able to break out of jail Was: vserver doesn't limit to correct ip adress

Re: [vserver] Some software seems to be able to break out of jail Was: vserver doesn't limit to correct ip adress:
vserver development mailing list
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]

About this list	Date view	Thread view	Subject view	Author view	Attachment view

From: Martin List-Petersen (martin_at_list-petersen.dk)
Date: Wed 02 Apr 2003 - 19:32:11 BST

Previous message: James Maxwell - Systems Administrator: "[vserver] max number of vserver ips?"
In reply to: bolle: "Re: [vserver] Some software seems to be able to break out of jail Was: vserver doesn't limit to correct ip adress"

On Wed, 2003-04-02 at 16:36, bolle wrote:
> I had a similar problem. Setting up a Cyrus21 with exim on a vserver that
> runs on a host with Debian Woody, 2.4.19ctx-15 (i think) kernel (vserver
> 0.22-7).
>
> The hosts' exim was blocking port 25 so that the vserver's MTA could not be
> accessed.
> I found two solutions:
> 1. Stopping the host's exim. That is a little crude, but the verserver's MTA
> could then recieve incoming smtp calls.
> 2. Restarting the hosts exim not in inetd but as a daemon with chbind to
> eth0's original IP. The host's exim now accepts messages on port 25 and so
> does the vserver's (on its dummy eth0:xxxx). This solution sounds a little
> strange to me, because I thought, these system-calls were intended only for
> the vservers and not for the hosts. But it works (at least up to now). Even
> the other vservers now listen on port 25 for their IP
>

Yes. That is intended, since the main host has full rights for all ip's
and not is restricted. Besides would you also be able to limit exim, if
you use xinetd instead, which can bind to specific ip's.

In my case the ipv6 simply broke the vserver jail and some daemons
inside the vserver jail where allowed to bind the ports (example. exim /
25 and courier-imap / 143) on all ips.

Removing the ipv6 support completely from the kernel fixed my problem,
but that means i can't use ipv6 on that host at all.

If i would start a daemon up on the host system it would also bind the
port on all ip's unless i limit it, when ipv6 is removed, but that's the
way it should be.

-- Regards, Martin List-Petersen martin at list-petersen dot dk -- It is a period of system war. User programs, striking from a hidden directory, have won their first victory against the evil Administrative Empire. During the battle, User spies managed to steal secret source code to the Empire's ultimate program: the Are-Em Star, a privileged root program with enough power to destroy an entire file structure. Pursued by the Empire's sinister audit trail, Princess _LPA0 races ~ aboard her shell script, custodian of the stolen listings that could save her people, and restore freedom and games to the network... -- DECWARS

application/pgp-signature attachment: This is a digitally signed message part

Previous message: James Maxwell - Systems Administrator: "[vserver] max number of vserver ips?"
In reply to: bolle: "Re: [vserver] Some software seems to be able to break out of jail Was: vserver doesn't limit to correct ip adress"

About this list	Date view	Thread view	Subject view	Author view	Attachment view

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 02 Apr 2003 - 19:58:01 BST by hypermail 2.1.3