-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Herbert,
so that is enabled by default on current code? I still mount with attr option just to use the barrier escape prevention
mechanism. I am out-dated with the recent changes...
Thanks,
- -Nik
On 12/14/2011 08:16 PM, Herbert Poetzl wrote:
> On Wed, Dec 14, 2011 at 09:14:24AM -0700, Dan Urist wrote:
>> Can you tell me (or give me a pointer to some docs) what
>> mechanism has replaced the barrier for chroot security?
>
> mount/filesystem namespaces and pivot basically makes
> the barrier obsolete, as it shouldn't be possible to
> escape from a separate namespace.
>
> best,
> Herbert
>
>> On Wed, 14 Dec 2011 02:37:36 +0100
>> Herbert Poetzl <herbert@13thfloor.at> wrote:
>
>>> On Tue, Dec 13, 2011 at 11:18:38AM -0700, Dan Urist wrote:
>>>> I have a number of vservers running on a Debian lenny host that
>>>> I'm planning to migrate to a squeeze host. The vservers' root
>>>> filesystems are on NFS shares from a netapp.
>
>>>> I've followed the instructions to set the barrier attribute here:
>>>> http://linux-vserver.org/Secure_chroot_Barrier#Solution:_Secure_Barrier
>
>>>> The problem I'm having is "setattr --barrier" doesn't appear to
>>>> do anything for the NFS filesystems, as reported by showattr
>>>> (it works for other vservers on ext3 filesystems, though).
>>>> I've tried this on both the lenny and the squeeze hosts, with
>>>> the filesystems mounted as both NFSv3 and NFSv4 (the netapp
>>>> supports both). I've also tried mounting the filesystems with
>>>> the "noac" option, which had no effect. Here are the package
>>>> versions for the squeeze host:
>
>>>> linux-image-2.6.32-5-vserver-amd64
>>>> 2.6.32-39 util-vserver
>>>> 0.30.216-pre2864-2+b1
>
>>> the barrier is not implemented for NFS as NFS doesn't
>>> support xattr (which the barrier is based on) at all
>
>>> but, with a recent kernel and recent util-vserver,
>>> you won't be needing the barrier anyway ...
>
>>> note that I do not know if the debian kernel/tools
>>> are recent enough, so I'd suggest to ask the debian
>>> folks about this case.
>
>>> HTH,
>>> Herbert
>
>>>> Does anyone have any experience with running vservers over NFS?
>
>
>>>> --
>>>> Dan Urist
>>>> durist@ucar.edu
>>>> 303-497-2459
>
>
>
>> --
>> Dan Urist
>> durist@ucar.edu
>> 303-497-2459
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJO6bJiAAoJEDFLYVOGGjgX4rQIAJ0t8UbyOpGNSXh2uEl1ldxY
rDxB6M/stvQ629X5eP4FrYdOkGDlYwCIVICqUqOlbLCQ6YmuN8ywBse3OKJZvcbu
H7kGwO2s2u7gJzSYVxxhO+kV+IOz5mxUQvflLi1TlQhzfKqA5+06i1khnsNq3YJE
EbKdTzyhGN906SF+hN9fNBXRuwQr/fb34iBK236heihMBmhFJSzZFfA9e7TOv5id
FG6Srqw1JfNJq8ei9QHt71kcWbZYfGiMy+QyG4sDKyaiDlTkdIJ5pl2sPlEGZQzx
EsY5PXoHot6W9nt8nhOzO6lnhP4wGPWu8iFkaSk3HOWOQJvQtwtJoQAaACzLQA0=
=ku8r
-----END PGP SIGNATURE-----
Received on Thu Dec 15 08:40:15 2011