From: Ville Herva (vherva_at_viasys.com)
Date: Sun 08 Feb 2004 - 13:56:58 GMT
On Fri, Feb 06, 2004 at 10:33:14PM +0100, you [Herbert Poetzl] wrote:
>
> Hello Folks!
>
> because the last security fix for the chmod()/chroot()
> issue was a little too fast, and a little too secure
> for some distros (debian was mentioned), this release
> restricts the security to the 'important' parts, the
> vserver directory.
>
> this is done in the following way:
>
> the chroot() 000 barrier is unaffected and unchanged,
> but in addition to that, a barrier with IUNLINK set
> can not be changed (chmod()), so the exploit isn't
> possible on such a secured system.
>
> What you have to do, after applying that patch?
>
> chmod 000 /vservers
> chattr +t /vservers
Just in case anyone is interested, here's the security fix separated out
(from "interdiff patch-2.4.24-vs1.24.diff patch-2.4.24-vs1.26.diff" output):
diff -u linux-2.4.24-vs1.24/fs/open.c linux-2.4.24-vs1.26/fs/open.c
--- linux-2.4.24-vs1.24/fs/open.c Sat Jan 17 05:27:22 2004
+++ linux-2.4.24-vs1.26/fs/open.c 2004-02-06 21:41:49.000000000 +0100
@@ -476,6 +476,10 @@
dentry = file->f_dentry;
inode = dentry->d_inode;
+ err = -EPERM;
+ if ((inode->i_mode & 0777) == 0 && S_ISDIR(inode->i_mode)
+ && IS_IMMUTABLE_LINK(inode) && !vx_check(0, VX_ADMIN))
+ goto out_putf;
err = -EROFS;
if (IS_RDONLY(inode))
goto out_putf;
@@ -506,6 +510,11 @@
goto out;
inode = nd.dentry->d_inode;
+ error = -EPERM;
+ if ((inode->i_mode & 0777) == 0 && S_ISDIR(inode->i_mode)
+ && IS_IMMUTABLE_LINK(inode) && !vx_check(0, VX_ADMIN))
+ goto dput_and_out;
+
error = -EROFS;
if (IS_RDONLY(inode))
goto dput_and_out;
-- Ville Herva vherva_at_viasys.com +358-40-5756996 ViaSys Oy Hannuntie 6 FIN-02360 Espoo +358-9-2313-2160 PGP key available: http://www.iki.fi/v/pgp.html fax +358-9-2313-2250 _______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver