From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Sat 17 Jan 2004 - 04:57:21 GMT
Greetings Community!
well, I can hope, but reality catched up, and while
version 1.23 fixed many races and added the new procfs
security feature, it also introduced a new, tricky
race which reduced the stability for SMP enabled kernels ...
this bugfix release (1.24) fixes that race.
thanks to all those people who helped debugging and
testing this issue, the result is available at
http://www.13thfloor.at/vserver/s_release/v1.24/
users of vs1.23 with SMP enabled kernels are advised to
upgrade (for example by patching the incremental patch)
appended the new procfs security tool explanation,
for those who missed it on the last posting ...
best,
Herbert
new proc security feature:
by using the vproc tool (provided in vproc-0.1.tar)
it is now possible to limit the visibility of proc
entries to either the host, the special context one,
or both, according to your preference.
note: by default all proc entries are visible and
therefore accessible via read and write on all
contexts, only restricted by the linux capability
system, which is equivalent to the setup in all
earlier versions.
(using the entry meminfo as example)
vproc /proc/meminfo (shows current visibility)
vproc -d /proc/meminfo (hide in user context)
vproc -D /proc/meminfo (hide in any context)
vproc -E /proc/meminfo (show only in ctx one)
vproc -e /proc/meminfo (default: visible)
please make sure to disable dangerous entries
which are not required in a vserver anyway, like
hardware interfaces (ide,bus,pci,scsi) or kernel
interfaces (kmem,iomem,ioports,sys,...)
note: symbolic links and dynamically generated
entries like /proc/<pid> can not be masked by this
interface yet ...
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver