About this list Date view Thread view Subject view Author view Attachment view

From: Paul Sladen (vserver_at_paul.sladen.org)
Date: Sat 31 Jul 2004 - 13:49:19 BST


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 31 Jul 2004 ktf_at_gun.de wrote:

[*** IMHO: This patch is low-medium priority.]

There is no security risk to existing vservers. However, when creating a
vserver using `util-vserver'; if a file called:

  '/var/log/foo/bar root' (with a space in it)

exists, then, because of lack of quoting, an attempt to delete:

  /var/log/foo/bar
  /root

would be made.

- -*- -*- -*- -*- -*- -*- -*- -*- -*- -*- -*- -*- -*- -*- -*- -*- -*- -*- -*-

Hello KTF,

Thank you for your interest, and your patch!

> If anybody is running vservers with the util-vserver-0.30 utilities
> he/she may want to have a look at the attached patch below.

When posting an unsigned patch ``out-of-the-blue'' it is often useful to say
a little about what it does. Or perhaps add comments to the patch stating
what it changes and why:

These changes appear in the vserver creation function:

- - rm -f var/spool/mail/*
- - rm -f `find var/run -type f`
- - rm -f `find var/log -type f`
+ find var/spool/mail -type f -print0 | xargs -0r rm --
+ find var/run -type f -print0 | xargs -0r rm --
+ find var/log -type f -print0 | xargs -0r rm --

As the vserver can be created from copying an existing template, these
ensure that no logs or undelivered mail is left around; and are replaced
with secure versions that work with files with ` ' (spaces) in them.

Note, with the mail, it might be better to do cat /dev/null > $F as some
MTAs have issues with delivering to non-pre-existing mailboxes.

- - rm -fr lib/modules/*
+ rm -rf lib/modules
+ mkdir lib/modules # is that directory needed anyway?
+ chmod 755 lib/modules

Not sure why this change is needed, but there's nothing wrong with it.

(BTW: You aware of `mkdir -m 755 -p lib/modules')

                touch var/log/wtmp
- - rm -f var/lock/subsys/*
+ rm -rf var/lock/subsys
+ mkdir var/lock/subsys
+ chmod 0755 var/lock/subsys

Same again, I not sure why/what this change achives, but there's nothing
wrong with it.

- - rm -f `find var/run -type f`
+ find var/run -type f -print0 | xargs -0r rm -f --

Copes with files with ' ' (spaces) in them.

- - rm -f var/lock/subsys/*
+ rm -rf var/lock/subsys
+ mkdir var/lock/subsys
+ chmod 0755 var/lock/subsys

Additionally, recursively deletes any directories that might have been below
`/var/lock/subsys'. This may actually cause problems as those directories
may be requires (would need to check the FHS as to whether they are
allowed).

Once again, thanks for bringing the spaces issue to people's attempt, and
could you comment on whether the above evaluation is correct?

        -Paul
- --
Is there no safe way to travel? London, GB

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBC5VVc444tukM+iQRAh9YAJoCHQcwDmcNXR8iu0OyKLBypzpkEwCg1Hnc
NAhAOlt2UJ7XcW1+EOTNkro=
=21CH
-----END PGP SIGNATURE-----

_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Sat 31 Jul 2004 - 13:50:22 BST by hypermail 2.1.3