About this list Date view Thread view Subject view Author view Attachment view

From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Thu 04 Dec 2003 - 17:53:56 GMT


On Thu, Dec 04, 2003 at 12:24:18PM -0500, Alex Klymov wrote:
> Hello Michael,
>
> Thursday, December 4, 2003, 11:41:57 AM, you wrote:
>
> MP> Hi vServer-Admins,
>
> MP> Trying to use vserver with other pax, grsecurity or
> MP> the openwall patches does not work.
> MP> But security demands are rising.

some questions should be, how long will 2.4 be
used and does 2.6 satisfy those needs ...

> MP> So, does anyone know any kernel enhancements that
> MP> work with vserver?

basically many security enhancements work with
vserver, some need less, others need more manual
fixing ...

> MP> Features I am searching for are:
>
> MP> - Randomized Features (TCP ISN, PIDs, IP IDs, TCP source ports)
> MP> - Protection against Stack-attacks
> MP> - Confusing OS-fingerprints
> MP> - Auditing Features (like in grsecurity)
> MP> - Restrictions for /tmp
> MP> - And every other stuff that enhances security!

I have no problem in adding enhancements (as optional
patches) to the vserver patchsets, but it will be
required to test and document this stuff too, so if
you, and others, are willing to test this, I have no
problem with rediffing it ...

see
http://vserver.13thfloor.at/Experimental/patch-2.4.23-vs1.00-grsec-1.9.12.diff
http://vserver.13thfloor.at/Stuff/patch-2.4.23-pre7-grsec-1.9.12.diff.bz2
(both untested)

others did adaptations of grsec to vserver which might
be tested and/or in use ...

> MP> Thank you a lot for your help!
> MP> Michael
>
> I was able to "marry" vserver with grsecurity 2.0rc3.
> My first priority was network security increasing - I
> didn't try PaX and process protection but I don't see
> the reason why it won't be working.

> from the sources perspective it should not conflict with
> vserver functionality as long as you are not using ACLs
> feature (which uses system capabilities vserver is
> dependant on).

I don't see such an issue in the ACL stuff either, but
it will require some changes to vserver to work ..
(as I said, if there is demand _and_ folks doing the
testing, which _is_ a hard job, if it comes to things
like security, I'm willing to support those patches)

> Can somebody confirm/correct me if I'm wrong?

sorry, can't confirm, as I believe you are right! 8-)

best,
Herbert

> --
> Alex mailto:al3x__at_gmx.net
> 12:15:01 PM Thursday, December 4, 2003 EDT
>
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Thu 04 Dec 2003 - 17:55:39 GMT by hypermail 2.1.3