About this list Date view Thread view Subject view Author view Attachment view

From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Mon 09 Feb 2004 - 22:49:13 GMT


On Mon, Feb 09, 2004 at 11:31:58PM +0100, Michael Hilscher wrote:
> Am 09.02.2004 um 13:29 schrieb Herbert Poetzl:
> >chmod 000 /vservers
> >chattr +t /vservers
> >
> >/ # ls -ld /vservers
> >d--------- 10 root root 1024 Dec 6 00:15 /vservers
> >/ # lsattr -d /vservers
> >-----------t- /vservers
> >
> >SECURE
>
> you are right, after
> chmod 000 /vservers
> chmod +t /vservers
>
> exploid dont work anymore. But on the other hand, i cant create a new
> vserver anymore:
> vserver beta build
> cp: cannot create hard link `/vservers/beta/./sbin/e2fsck' to
> `/vservers/beta/./sbin/fsck.ext3': Operation not permitted
> ... and so on :(

atm, I do not see how this might be related, because
creation of hardlinks and such stuff isn't affected
by the 000+t barrier ...

> AND the chattr +t cmd worked only correct after deleting old /vserver
> dir.
> I used it on old /vserver first but, after chattr +t /vservers i got:
> lsattr -d /vservers
> ------------- /vservers

that is very unlikely, as the sole purpose of chattr +t is
to change those flag, so an unchanged flag after chattr +t
would be a bug in the e2fsprogs ...

> thats the reason why exploit still worked, after upgrading to 1.24 ...
>
> But in the end i cant see any benefit to the chattr +i /vservers mehtod.
> If i like to create an new vserver i have to chattr -i with old Vserver.
> With 1.24 i need to chattr -t /vservers before i can create a new one.

if done properly, that should not be required
(probably other permissions are wrong in your setup too)

> Is there another security issue in old ctx16 which i might don't know
> yet, or am i secure (for the moment) with chattr +i ???

 - procfs issues (might allow host reboot/scsi fun)
 - the kernel exploit fixed in 2.4.24
 - chattr +i isn't really safe, if you 'disable' it
   (even for short periods of time)

best,
Herbert

> greetinXs,
> Michael Hilscher
> --
> Would Mozart have been more productive if he had scribes to help him, a
> secretary and a CEO to lead his way? -- Linus Torvalds
>
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Mon 09 Feb 2004 - 22:50:43 GMT by hypermail 2.1.3