About this list Date view Thread view Subject view Author view Attachment view

From: Oliver Dietz (o.dietz_at_arcor.de)
Date: Fri 29 Apr 2005 - 20:53:18 BST

Hi NG,
Hi Herbert,

>> Is there a tool (like testme.sh) that tests the common (maybe also
>> uncommon) possibilities of misconfigurations (like the capabilities and
>> chroot-exploids) from inside the VServer?
> not yet, but sounds like something useful to me ...

ok, lets do some brainstorming (comment: i'm no vserver specialist nor can i
write programs on linux):

Output could be like this:

# vserver test enter
context id is now ...
# vcapcheck
Checking environment ...

conextid is: 4711 [OK] effective userid is: 0 [OK] real userid is: 0 [OK] effective groupid is: 0 [OK] real groupid is: 0 [OK]

Checking posix capabilities ...

i have CAP_CHOWN [OK] i have CAP_KILL [OK] [...] i have CAP_LINUX_IMMUTABLE [WARN] if you have locked some files because of unification, you should assign the immutable-flag to an vps. to remove this capability edit ... i dont have CAP_NET_BROADCAST [OK] i have CAP_SYS_BOOT [ERROR] Warning: any vserver can reboot the read server i dont have CAP_MKNOD [OK]

Checking the Network Separation ...

determining if someone other listens on my ip [WARN] on port 22 (ssh) listens someone other, maybe the host is configured to listen on 0:0:0:0 trying to listen on localhost: no success [OK] [...]

Trying to break out the chroot-jail ...

... to access the hosts files: no success [OK] ... to access other vservers: success [ERROR] [...]

Trying to mount hda/sda/...: no success [OK] Checking dev-directory: nothing suspicious found [OK] Checking proc-fs [WARN] found kmem-entry [...]

Checking for the usable RAM space [512MB] Checking for available disk space [10 G] if the vserver is on the same partition as the real server you should verify that the vserver can't grab all disk space available [...] ---

hm ... this list will get very long ... but i think its very useful when configuring a vserver ...

... Oliver

_______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver

About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Fri 29 Apr 2005 - 20:53:43 BST by hypermail 2.1.3