About this list Date view Thread view Subject view Author view Attachment view

From: Micah Anderson (micah_at_riseup.net)
Date: Sat 30 Apr 2005 - 00:44:58 BST


This would be a great script, just reading the items that you wrote
made me curious about some things in my setup and would like to test
them out, but manually it would be a chore on several of them of course.

micah

On Fri, 29 Apr 2005, Oliver Dietz wrote:

> Hi NG,
> Hi Herbert,
>
> >>Is there a tool (like testme.sh) that tests the common (maybe also
> >>uncommon) possibilities of misconfigurations (like the capabilities and
> >>chroot-exploids) from inside the VServer?
> >
> >not yet, but sounds like something useful to me ...
>
> ok, lets do some brainstorming (comment: i'm no vserver specialist nor can
> i write programs on linux):
>
> Output could be like this:
> ---
> # vserver test enter
> [...]
> context id is now ...
> [...]
> # vcapcheck
> Checking environment ...
>
> conextid is: 4711 [OK]
> effective userid is: 0 [OK]
> real userid is: 0 [OK]
> effective groupid is: 0 [OK]
> real groupid is: 0 [OK]
>
> Checking posix capabilities ...
>
> i have CAP_CHOWN [OK]
> i have CAP_KILL [OK]
> [...]
> i have CAP_LINUX_IMMUTABLE [WARN]
> if you have locked some files because of unification,
> you should assign the immutable-flag to an vps.
> to remove this capability edit ...
> i dont have CAP_NET_BROADCAST [OK]
> i have CAP_SYS_BOOT [ERROR]
> Warning: any vserver can reboot the read server
> i dont have CAP_MKNOD [OK]
>
> Checking the Network Separation ...
>
> determining if someone other listens on my ip [WARN]
> on port 22 (ssh) listens someone other, maybe
> the host is configured to listen on 0:0:0:0
> trying to listen on localhost: no success [OK]
> [...]
>
> Trying to break out the chroot-jail ...
>
> ... to access the hosts files: no success [OK]
> ... to access other vservers: success [ERROR]
> [...]
>
> Trying to mount hda/sda/...: no success [OK]
> Checking dev-directory: nothing suspicious found
> [OK]
> Checking proc-fs [WARN]
> found kmem-entry [...]
>
> Checking for the usable RAM space [512MB]
> Checking for available disk space [10 G]
> if the vserver is on the same partition as the real server
> you should verify that the vserver can't grab all disk space
> available
> [...]
> ---
>
> hm ... this list will get very long ... but i think its very useful when
> configuring a vserver ...
>
>
> ... Oliver
>
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Sat 30 Apr 2005 - 00:45:29 BST by hypermail 2.1.3