From: Enrico Scholz (enrico.scholz_at_sigma-chemnitz.de)
Date: Tue 23 Sep 2003 - 13:24:28 BST

• Previous message: Rik van Riel: "Re: [vserver] 2.6: less is more"
• In reply to: Matthieu Racine: "Re: [vserver] Using NFS mounts in a vserver"
• Next in thread: Enrico Scholz: "Re: [vserver] Using NFS mounts in a vserver"

m.racine_at_free.fr ("Matthieu Racine") writes:

>> > chbind --ip <my_vserverip> --bcast <my_vserver_broadcast> chroot
>> > ${VSERVERS_ROOT}/${VSERVER_NAME} mount -t nfs
>> > <myNFSserverIP>:/partage/nfs/pro /mnt/pro
>>
>> This 'chroot' makes you vulnerably against attacks from inside
>> of the chroot
> ...
> so :
>
> cp -pf /bin/mount ${VSERVERS_ROOT}/${VSERVER_NAME}/bin/mount && chbind --ip
> blablabla....

Do not forget /lib/libc.so, the other libraries and the locale-data
and ... You have to empty /etc/mtab, too; an attacker could put
data in it which causes overflows.

When the vserver is running already (e.g. 'mount' happens in
post-start), this is not applicable at all because of possible
races.

But I do not see a real reason for the 'chroot'...

Enrico

• Previous message: Rik van Riel: "Re: [vserver] 2.6: less is more"
• In reply to: Matthieu Racine: "Re: [vserver] Using NFS mounts in a vserver"
• Next in thread: Enrico Scholz: "Re: [vserver] Using NFS mounts in a vserver"