On Tuesday 15 June 2010 15:18:20 you wrote:
> can you please read the readme on my page:
> http://people.linux-vserver.org/~harry/
I've read that page before and I've set it accordingly:
kernel.grsecurity.chroot_caps = 0
kernel.grsecurity.chroot_deny_chmod = 0
kernel.grsecurity.chroot_deny_chroot = 0
kernel.grsecurity.chroot_deny_mount = 0
kernel.grsecurity.chroot_findtask = 0
kernel.grsecurity.chroot_deny_fchdir = 1
kernel.grsecurity.chroot_deny_mknod = 1
kernel.grsecurity.chroot_deny_pivot = 1
kernel.grsecurity.chroot_deny_shmat = 1
kernel.grsecurity.chroot_deny_sysctl = 1
kernel.grsecurity.chroot_deny_unix = 1
kernel.grsecurity.chroot_enforce_chdir = 1
kernel.grsecurity.chroot_restrict_nice = 1
I can disable remaining restrictions, but I don't see how it correlates with
PAX catching refcount overflow. VServer starts normally, just after some time
(I guess when some amount data was transmitted/received) all processes which
try to do networking freeze. Then I have to restart the vserver to make it
work again.
> and while you're at it, use the latest patch for 2.6.32.15. It contains
> some bugfixes too.
The server is quite hard to approach physically, so I would like to keep
reboots to minimum. Are there changes in vserver code or only in linux
version?
Thanks,
Jan Pobrislo