About this list Date view Thread view Subject view Author view Attachment view

From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Sat 07 Feb 2004 - 15:42:17 GMT


On Fri, Feb 06, 2004 at 11:55:06PM -1000, Warren Togami wrote:
> >
> > Hello Folks!
> >
> > because the last security fix for the chmod()/chroot()
> > issue was a little too fast, and a little too secure
> > for some distros (debian was mentioned), this release
> > restricts the security to the 'important' parts, the
> > vserver directory.
> >
> > this is done in the following way:
> >
> > the chroot() 000 barrier is unaffected and unchanged,
> > but in addition to that, a barrier with IUNLINK set
> > can not be changed (chmod()), so the exploit isn't
> > possible on such a secured system.
> >
> > What you have to do, after applying that patch?
> >
> > chmod 000 /vservers
> > chattr +t -d /vservers
> >
> > all-in-one and broken out patches for 2.4.24 as well
> > as incremental patches are available at
> >
> > http://www.13thfloor.at/vserver/s_release/
> >
> > a temporary fix for the chmod()/chroot() exploit is
> > to make the vserver directory immutable, but that
> > will affect vserver creation and destruction in
> > various ways, so an upgrade is advised.
> >
> > best,
> > Herbert
> >
>
> Hi Herbert,
>
> In the future could you please post GPG signed .asc signatures along with
> each release as part of standard release practice? Perhaps a link to the
> .asc file on your page too?

I'm working on that, and the first step has been done
already, but it wasn't worth the efford for the last
two releases, the incremental patches are quicker to
verify than the pgp key.

> It would really save me a lot of time because otherwise I need to manually
> read diffs in order to guard against even the slightest possibility of
> trojaned sources on a compromised site.

I would always suggest to manually review any patches
you add to your kernel, and report any findings, but
I know that there _is_ demand for signatures, and I'll
try to add that asap ...

HTH,
Herbert

> Warren Togami
> wtogami_at_redhat.com
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Sat 07 Feb 2004 - 15:43:37 GMT by hypermail 2.1.3