About this list Date view Thread view Subject view Author view Attachment view

From: Luís Miguel Silva (lms_at_ispgaya.pt)
Date: Mon 12 Jan 2004 - 07:38:19 GMT


Great to read that :o)

Am I gonna have the problems I had with 2.4.24-vs1.22?
Iam referring to the security context problems.

Currently iam using 2.4.24-vs1.00 because of those!

(after exchanging some mails in the past week with other users, which you
probably saw too, I think those problems had to do with me not being able to
get a random security context)!

Other users "complained" about the same and said they resolved their problem
by specifying a static security context.

Thanks for the new version,
| Luís Miguel Silva
| Network Administrator@ ISPGaya.pt
| Rua António Rodrigues da Rocha, 291/341
| Sto. Ovídio • 4400-025 V. N. de Gaia
| Portugal
| T: +351 22 3745730/3/5 F: +351 22 3745738
| G: +351 93 6371253 E: lms_at_ispgaya.pt
| H: http://lms.ispgaya.pt/

-----Original Message-----
From: vserver-admin_at_list.linux-vserver.org
[mailto:vserver-admin_at_list.linux-vserver.org] On Behalf Of Herbert Poetzl
Sent: segunda-feira, 12 de Janeiro de 2004 6:11
To: vserver_at_list.linux-vserver.org
Subject: [Vserver] [Release] Stable vs1.23 (improved security)

Hello Community!

hopefully the final bugfix release of the second
linux-vserver stable release (1.23) is now
available at


you can download an all-in-one patch for 2.4.24
as well as tar archives of the splitup ...
(patches for older kernels available on request)

this release fixes another locking issue, this
time within the /proc filesystem, and adds a very
important security interface, to protect entries
against unwanted access.

older tools (especially tools for 1.22) should
work but util-vserver-0.26 or later is recommended.

new proc security feature:

by using the vproc tool (provided in vproc-0.1.tar)
it is now possible to limit the visibility of proc
entries to either the host, the special context one,
or both, according to your preference.

note: by default all proc entries are visible and
therefore accessible via read and write on all
contexts, only restricted by the linux capability
system, which is equivalent to the setup in all
earlier versions.

(using the entry meminfo as example)

 vproc /proc/meminfo (shows current visibility)
 vproc -d /proc/meminfo (hide in user context)
 vproc -D /proc/meminfo (hide in any context)
 vproc -E /proc/meminfo (show only in ctx one)
 vproc -e /proc/meminfo (default: visible)

please make sure to disable dangerous entries
which are not required in a vserver anyway, like
hardware interfaces (ide,bus,pci,scsi) or kernel
interfaces (kmem,iomem,ioports,sys,...)

note: symbolic links and dynamically generated
entries like /proc/<pid> can not be masked by this
interface yet ...


Vserver mailing list

Vserver mailing list

About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Mon 12 Jan 2004 - 07:33:32 GMT by hypermail 2.1.3