From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Fri 06 Feb 2004 - 21:55:20 GMT
On Fri, Feb 06, 2004 at 10:33:14PM +0100, Herbert Poetzl wrote:
>
> Hello Folks!
>
> because the last security fix for the chmod()/chroot()
> issue was a little too fast, and a little too secure
> for some distros (debian was mentioned), this release
> restricts the security to the 'important' parts, the
> vserver directory.
>
> this is done in the following way:
>
> the chroot() 000 barrier is unaffected and unchanged,
> but in addition to that, a barrier with IUNLINK set
> can not be changed (chmod()), so the exploit isn't
> possible on such a secured system.
>
> What you have to do, after applying that patch?
>
> chmod 000 /vservers
> chattr +t -d /vservers
as enrico pointed out, this is crap ;)
chattr +t /vservers
is what I meant, sorry for the confusion
best,
Herbert
> all-in-one and broken out patches for 2.4.24 as well
> as incremental patches are available at
>
> http://www.13thfloor.at/vserver/s_release/
>
> a temporary fix for the chmod()/chroot() exploit is
> to make the vserver directory immutable, but that
> will affect vserver creation and destruction in
> various ways, so an upgrade is advised.
>
> best,
> Herbert
>
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver