From: Michael Hilscher (mail_at_msh-webservice.de)
Date: Mon 09 Feb 2004 - 22:31:58 GMT
Am 09.02.2004 um 13:29 schrieb Herbert Poetzl:
> chmod 000 /vservers
> chattr +t /vservers
>
> / # ls -ld /vservers
> d--------- 10 root root 1024 Dec 6 00:15 /vservers
> / # lsattr -d /vservers
> -----------t- /vservers
>
> SECURE
you are right, after
chmod 000 /vservers
chmod +t /vservers
exploid dont work anymore. But on the other hand, i cant create a new
vserver anymore:
vserver beta build
cp: cannot create hard link `/vservers/beta/./sbin/e2fsck' to
`/vservers/beta/./sbin/fsck.ext3': Operation not permitted
... and so on :(
AND the chattr +t cmd worked only correct after deleting old /vserver
dir.
I used it on old /vserver first but, after chattr +t /vservers i got:
lsattr -d /vservers
------------- /vservers
thats the reason why exploit still worked, after upgrading to 1.24 ...
But in the end i cant see any benefit to the chattr +i /vservers mehtod.
If i like to create an new vserver i have to chattr -i with old Vserver.
With 1.24 i need to chattr -t /vservers before i can create a new one.
Is there another security issue in old ctx16 which i might don't know
yet, or am i secure (for the moment) with chattr +i ???
greetinXs,
Michael Hilscher
-- Would Mozart have been more productive if he had scribes to help him, a secretary and a CEO to lead his way? -- Linus Torvalds_______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver