About this list Date view Thread view Subject view Author view Attachment view

From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Sat 07 Feb 2004 - 03:25:25 GMT


On Sat, Feb 07, 2004 at 03:31:47AM +0100, Jan Panoch wrote:
> Hi All,
>
> Have anyone a idea, how to avoid this security risk and continue to use
> XFS as my filesystem?
> 1.26 patch is functional only on ext2/ext3 filesystems, i think..

hmm, xfs is in 2.4.25-rc1 and so I'm working on support
for that, if you are interested in testing this stuff,
let me know/show up on the irc channel (#vserver irc.oftc.net)

I'll be there until 5:30am CET and will return after 18:00 CET

HTH,
Herbert

> Tnx
>
> JP
>
> Cathy Sarisky wrote:
>
> >Hi All,
> >
> >RedHat (at least 9, not sure about earlier) is affected by vs1.25 also -
> >although most things work normally, useradd creates a directory with 000
> >permissions that root is not able to chmod. Can anyone running RH confirm
> >that vs1.26 doesn't have the issue before I build the kernel?
> >
> >Thanks!
> >Cathy
> >
> >p.s Herbert - thank you for the VERY fast response to the vulnerability.
> >:)
> >
> >On Fri, 6 Feb 2004, Herbert Poetzl wrote:
> >
> >
> >
> >>On Fri, Feb 06, 2004 at 10:33:14PM +0100, Herbert Poetzl wrote:
> >>
> >>
> >>>Hello Folks!
> >>>
> >>>because the last security fix for the chmod()/chroot()
> >>>issue was a little too fast, and a little too secure
> >>>for some distros (debian was mentioned), this release
> >>>restricts the security to the 'important' parts, the
> >>>vserver directory.
> >>>
> >>>this is done in the following way:
> >>>
> >>>the chroot() 000 barrier is unaffected and unchanged,
> >>>but in addition to that, a barrier with IUNLINK set
> >>>can not be changed (chmod()), so the exploit isn't
> >>>possible on such a secured system.
> >>>
> >>>What you have to do, after applying that patch?
> >>>
> >>>chmod 000 /vservers
> >>>chattr +t -d /vservers
> >>>
> >>>
> >>as enrico pointed out, this is crap ;)
> >>
> >> chattr +t /vservers
> >>
> >>is what I meant, sorry for the confusion
> >>
> >>best,
> >>Herbert
> >>
> >>
> >>
> >>>all-in-one and broken out patches for 2.4.24 as well
> >>>as incremental patches are available at
> >>>
> >>>http://www.13thfloor.at/vserver/s_release/
> >>>
> >>>a temporary fix for the chmod()/chroot() exploit is
> >>>to make the vserver directory immutable, but that
> >>>will affect vserver creation and destruction in
> >>>various ways, so an upgrade is advised.
> >>>
> >>>best,
> >>>Herbert
> >>>
> >>>_______________________________________________
> >>>Vserver mailing list
> >>>Vserver_at_list.linux-vserver.org
> >>>http://list.linux-vserver.org/mailman/listinfo/vserver
> >>>
> >>>
> >>_______________________________________________
> >>Vserver mailing list
> >>Vserver_at_list.linux-vserver.org
> >>http://list.linux-vserver.org/mailman/listinfo/vserver
> >>
> >>
> >>
> >
> >_______________________________________________
> >Vserver mailing list
> >Vserver_at_list.linux-vserver.org
> >http://list.linux-vserver.org/mailman/listinfo/vserver
> >
> >
>
> --
> Jan Panoch - CTO
>
> ==================================================
> GLOBE INTERNET, s.r.o. http://globe.cz
> SERVERY.CZ server a web housing
> DOMENY.CZ nejvetsi registrator CZ domen
> GLOBEDESIGN.CZ online marketing a vyvoj aplikaci
> ==================================================
> adresa: Planickova 1, 162 00 Praha 6
> mapa: http://mapa.globe.cz
> mail: panoch.jan_at_globe.cz
> GSM: +420 605 204 511
> Tel: +420 235 365 000 Ext.:123
> Fax: +420 235 365 009
>
>
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Sat 07 Feb 2004 - 03:26:28 GMT by hypermail 2.1.3