From: Enrico Scholz (enrico.scholz_at_sigma-chemnitz.de)
Date: Tue 09 Aug 2005 - 09:31:51 BST
eyck_at_ghost.anime.pl ("Dariush Pietrzak,,,") writes:
>> >> legacy configuration does not have a big future and *would*
>> >> need security fixes first, this has a very low priority.
>> > What security fixes?
>>
>> Oh... where shall I begin? Basically, the filesystem operations
>> are full of races and contain enough opportunities for symlink
> I'm not sure I follow, what filesystem operations, reading of
> configuration?
Code like
| mkdir -p $1/proc $1/dev/pts
| mount -t proc none $1/proc
|
| rm -f `find var/run -type f`
| rm -f var/lock/subsys/*
|
| exec $_CHBIND $SILENT $IPOPT --bcast $IPROOTBCAST \
| $_CHCONTEXT_COMPAT $SILENT $FLAGS $CAPS --secure --ctx $S_CONTEXT \
| $_CAPCHROOT --suid $USERID . "$@"
(this enumeration is far away from being complete; just look
into the legacy 'vserver' script and you will find more of these
examples).
Enrico
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver