[00:50] matta (matta@tektonic.net) joined #vserver. [00:55] <[S]ushi> dubdida [10:10] loger joined #vserver. [10:39] mdaur (~mdaur@zepto.informatik.fh-ulm.de) joined #vserver. [10:49] Nick change: kestrel_ -> kestrel [13:05] new grsec release click [13:05] 1.9.13 [13:24] serving (~serving@213.186.190.32) left irc: Ping timeout: 480 seconds [13:29] serving (~serving@213.186.191.79) joined #vserver. [13:53] urgh [13:54] hey [14:05] ccooke (~ccooke@80.1.164.238) left irc: Read error: Connection reset by peer [14:05] kestrel (~athomas@dialup51.optus.net.au) left irc: Quit: blah [14:10] kestrel (~athomas@dialup51.optus.net.au) joined #vserver. [15:26] lalalalala.... [15:26] LA [15:27] LALA! [15:27] la grand finale! [15:27] heh [15:27] well, the patch works [15:28] good news, no issues? [15:29] doesn't seem so so far, except for that the vserver root user can see proc, which is not actually a major problem [15:29] the rest is like having two grsec-patched servers [15:29] or five [15:32] very cool [15:37] ccooke (~ccooke@80.1.164.238) joined #vserver. [15:37] hi ccooke [15:37] wb [15:38] morning [15:49] Linux storm 2.4.22-grsec+ctx #5 man des 1 07:53:55 CET 2003 i686 GNU/Linux [16:22] TamaPanda (~a@193.173.84.237) joined #vserver. [16:24] hello [16:35] [S]ushi (Sushi@pD9512405.dip.t-dialin.net) joined #vserver. [16:35] <[S]ushi> hi [16:38] doh i was just going over the kernel patches.. the kernel i have is exactly the one there is no kernel for.. heh [16:39] good time as any to upgrade i suppose [16:41] say (~say@212.86.243.154) left irc: Ping timeout: 496 seconds [16:45] say (~say@212.86.243.154) joined #vserver. [16:58] the kernel is exactly the one one you have no kernel for? [16:58] *shrug* ;] [16:59] erm.. patch $%^@% [16:59] ;) [16:59] *evil grin* [17:01] Action: TamaPanda notes: no kernel source installed *gah* [17:02] *laugh my ass off* [17:03] i knew minimal slack installs would back fire.. [17:04] so how is everybody doing? ;) [17:04] *tactical change of subject* [17:04] well, we are doing well, we've got the source installed ;] [17:18] [S]ushi (Sushi@pD9512405.dip.t-dialin.net) left irc: [17:37] mdaur (~mdaur@zepto.informatik.fh-ulm.de) left irc: Quit: Client exiting [17:44] Nick change: Bertl_zZ -> Bertl [17:44] hi all! [17:44] bertl: got it working [17:44] well, what? [17:45] bertl: grsec+vtx on .22, the s380/390 part is next on my list [17:45] hmm, why didn't you try my patch? [17:45] for .23? [17:45] yup? [17:45] grsec-1.9.13 for 23 is out [17:46] hrm ... [17:46] thats also on my todolist [17:46] okay ... it works, so why complain ... [17:46] i don't now :) [17:46] perfect ... [17:47] well, just one small glitch, but that's not a _major_ one tho' [18:02] hmm, which is? [18:17] BobR (~georg@oglgogl.BMTP.AKH-Wien.ac.at) joined #vserver. [18:17] hi bob! [18:17] Hi [18:18] howdy? [18:18] how was your day? [18:19] thou shalt not ask!!! [18:19] (as we're off topic >#dukelair ???) [18:23] bertl: /proc is shown in the vserver, but I guess that has to do with the vs-context, allowing the vserver separation of the different users, marking the vserver rootusers as uid 0, and not handling uid 0# [18:24] bertl: it does block normal users, so it's not much of a 'major' problem [18:25] well you can add a check if you want ... [18:25] most probably I've just forgot to add a check for it in the grsec-part [18:25] hehe yeah [18:25] :)= [18:25] it's not much of a problem anyway, as the /proc restrictions are more 'delicate' for the main server than for the vs'es [18:26] and, the users can't see it [18:26] which is the main idea behind it [18:26] no prob letting a responsible admin see the proc entries on a properly set up vs [18:46] hm [18:47] i guess not making a /proc mount would disable it? [18:51] probably ... [18:52] well, that would work, but it would also break the vservers functionability [18:53] break in what way? [18:53] do all programs need /proc then? [18:53] nah, i was thinking more about identd etc [18:53] also, i dont think functionability is an actual word ;) [18:54] me neither [18:54] functionality [18:54] well we can replace it by functionality then? [18:54] yep :) [18:54] Action: click hands bertl a beer [18:54] heh [18:56] hm.. i must admit i havent read all of the vserver docs yet.. but... firewalled virtual server is possible? (so that the vserver can not change it) :) [18:56] yes, it is ... [18:57] i'm using it now [18:57] sweet [18:57] ssh port 99, log in as root, pass lekebox (means toybox in norwegian) [18:57] hm but i guess i'd still need to chroot applications that run in a vserver just to be sure (eg, apache,mysql,php) [18:58] chroot the servers? [18:58] for what? :) [18:58] okay, I'm off to the bath now ... cu later ... [18:58] Nick change: Bertl -> Bertl_oO [18:58] avoiding exploits on the respective vserver? [18:58] not a bad idea, but i've separated each type of process into different vservers [18:58] well you still wouldn't want some php 'hole' to affect httpd for example [18:59] true [18:59] hm, vservers can communicate with eachother? [18:59] no [18:59] they are considered totally standalone [18:59] ssh to the one I told you [18:59] do hardlinks work between vservers? :) [18:59] hm, what address to ssh to? ;) [18:59] afaik they do [18:59] you can mount paths inside a vserver [19:00] ssh -p99 -l root ctv-01-81.nktv.no [19:01] hm seems that i'm in a vserver now? ;) [19:02] it's a vserver [19:02] i can just try stuff? [19:03] youære used to deb? [19:03] -æ+' [19:04] not really [19:05] apt-get install bitchx for instance [19:05] already there [19:05] well, just try it out [19:06] i did, said it was already there ;) [19:06] i meant: try installing something else [19:06] apt-cache search [19:09] hm woody [19:09] ftpd is not forwarded through the fw [19:10] it said it was previously installed though [19:10] ftpd? [19:10] proftpd [19:11] part of the default debian vserver install I believe [19:11] if not one of the other testers has put it there [19:12] wget seems to work fine though :D [19:12] ofcourse [19:13] if you want a hoot, just play that .wav ;) [19:13] infowolfe (~infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) joined #vserver. [19:13] this computer is on cable or adsl? [19:13] cable at the moment [19:13] it's my laptop ;] [19:13] not the prod-server [19:14] i use my lappie for most of the testing and development [19:14] at least when it comes to x86-based kernels and patching [19:15] and you just made a copy of base install into /vserver or something ? [19:16] nah [19:16] the debian vservers can be bootstraped directly from the net [19:16] installing the core packages [19:16] directly [19:16] hm [19:17] that's one way :) [19:18] drwxr-xr-x 2 root root 4096 2003-11-29 05:27 ARCHIVES [19:18] drwxr-xr-x 19 root root 4096 2003-11-29 06:34 dragon [19:18] drwxr-xr-x 19 root root 4096 2003-11-29 06:34 lekebox [19:18] how large is lekebox now? [19:18] in size? [19:18] yes, MBytes :) [19:19] 171 approx [19:19] plus minus [19:19] not that bad [19:19] i have been fiddling around with chroot for all seperate servers but really it's a PITA [19:20] vserver seems to be easier :) [19:21] i could even make seperate vservers for processes and then just hardlink a sock.link between the vservers [19:21] hmm.. that i like [19:22] but u guess it all starts with getting the kernel source.. *whitles* [19:22] whistles even [19:22] [19:24] hm i read in the online docs that user-id/group-id are still global [19:26] ? [19:26] uid/gid for each vserver? [19:28] no that a 400 in vserver 1 is the same as a 400 in another [19:28] or maybe i read wrong [19:29] a user with id 400 is the same user with id 400 on another vserver? [19:29] something like that [19:29] nope [19:29] separate passwd/group files [19:29] just think of it as a totally standalone server [19:29] it has _nothing_ to do with the other vservers [19:30] well does it have a seperate kernel running as well? [19:32] nope [19:32] the kernel and hardware is the same [19:32] so does the kernel just see '400', or '400 of this vserver' ? [19:32] the scheduler sees all processes of all servers [19:32] 400 of this vserver [19:33] the 'rootserver' sees all processes [19:33] they wanted to implement something like: vserver with context 2, uid 400 becomes 2400 [19:33] don't know if it is done [19:33] but basically, files are assigned uid 400 [19:34] so hardlinks may be kind of a problem (if the did't not do the translation stuff yet) [19:34] hardlinks cna be circumvented using mount --bind iirc [19:34] for dir-areas at least [19:36] hm i'll read the docs again when i get home.. but first, going home.. bbiab :) [19:36] TamaPanda (~a@193.173.84.237) left irc: [19:54] BobR (~georg@oglgogl.BMTP.AKH-Wien.ac.at) left irc: Quit: leaving [22:45] loger joined #vserver. [23:28] JonB (~jon@129.142.112.33) joined #vserver. [00:00] --- Tue Dec 2 2003