From: Micah Anderson (micah_at_riseup.net)
Date: Sat 30 Apr 2005 - 00:44:58 BST
This would be a great script, just reading the items that you wrote
made me curious about some things in my setup and would like to test
them out, but manually it would be a chore on several of them of course.
On Fri, 29 Apr 2005, Oliver Dietz wrote:
> Hi NG,
> Hi Herbert,
> >>Is there a tool (like testme.sh) that tests the common (maybe also
> >>uncommon) possibilities of misconfigurations (like the capabilities and
> >>chroot-exploids) from inside the VServer?
> >not yet, but sounds like something useful to me ...
> ok, lets do some brainstorming (comment: i'm no vserver specialist nor can
> i write programs on linux):
> Output could be like this:
> # vserver test enter
> context id is now ...
> # vcapcheck
> Checking environment ...
> conextid is: 4711 [OK]
> effective userid is: 0 [OK]
> real userid is: 0 [OK]
> effective groupid is: 0 [OK]
> real groupid is: 0 [OK]
> Checking posix capabilities ...
> i have CAP_CHOWN [OK]
> i have CAP_KILL [OK]
> i have CAP_LINUX_IMMUTABLE [WARN]
> if you have locked some files because of unification,
> you should assign the immutable-flag to an vps.
> to remove this capability edit ...
> i dont have CAP_NET_BROADCAST [OK]
> i have CAP_SYS_BOOT [ERROR]
> Warning: any vserver can reboot the read server
> i dont have CAP_MKNOD [OK]
> Checking the Network Separation ...
> determining if someone other listens on my ip [WARN]
> on port 22 (ssh) listens someone other, maybe
> the host is configured to listen on 0:0:0:0
> trying to listen on localhost: no success [OK]
> Trying to break out the chroot-jail ...
> ... to access the hosts files: no success [OK]
> ... to access other vservers: success [ERROR]
> Trying to mount hda/sda/...: no success [OK]
> Checking dev-directory: nothing suspicious found
> Checking proc-fs [WARN]
> found kmem-entry [...]
> Checking for the usable RAM space [512MB]
> Checking for available disk space [10 G]
> if the vserver is on the same partition as the real server
> you should verify that the vserver can't grab all disk space
> hm ... this list will get very long ... but i think its very useful when
> configuring a vserver ...
> ... Oliver
> Vserver mailing list
Vserver mailing list