[00:01] mhepp (~mhepp@r72s22p13.home.nbox.cz) left irc: Quit: Tak ja padaaaaM [00:02] BobR (~georg@MAIL.13thfloor.at) left #vserver. [02:43] JonB (~jon@129.142.112.33) left irc: Quit: Client exiting [03:52] Nick change: Bertl_oO -> Bertl [04:00] hi enrico! [04:00] hi [04:17] okay, cu 2morrow ... [04:17] Nick change: Bertl -> Bertl_zZ [05:12] serving (~serving@213.186.191.183) joined #vserver. [05:52] Nesh (~dmistry@ool-4352413d.dyn.optonline.net) left irc: Quit: My damn controlling terminal disappeared! [05:52] Nick change: riel -> surriel [06:09] pflanze (~chris@cc-linux4.ethz.ch) left irc: Ping timeout: 499 seconds [10:43] Nick change: Bertl_zZ -> Bertl_oO [11:04] JonB (~jon@129.142.112.33) joined #vserver. [11:20] Doener` (~doener@p5082D52B.dip.t-dialin.net) left irc: Quit: Leaving [11:48] TamaPanda (~a@193.173.84.237) joined #vserver. [11:48] wello [11:55] virtuoso (~shisha@ip114-115.adsl.wplus.ru) joined #vserver. [12:01] hi TamaPanda [12:02] i just read something on the mailing list about a vserver offspring vps.. what is that? [12:02] originaly jacques started vserver on linux [12:02] then jacques vent absent [12:03] and alex started his, vps, Virtual Private Server, which seems to focus on features. Later Bertl started doing his vserver stuff, and now jacques came back and still releases something [12:04] so bertl and jaques are playing with vserver and alex on vps? [12:05] sort of [12:05] bertl wants all to work together [12:05] jacques still releases his own stuff [12:05] and it seems like alex tried to give bertl a patch, but that Bertl for some reason didnt include it [12:06] my guess is that he didnt have immidiately use for it himself, and forgot about it [12:14] i dont concern myself with software 'politics' :D [12:14] i was just wondering what it was heh [12:16] TamaPanda: well, it can be hard for your ego if people dont use your stuff, or if they do something you want to do, faster than you do (tried it myself :( [12:17] possibly [12:18] hm how can i tell what vservers are actually running? is there an entry in /proc (for example) [12:18] mount ? [12:18] vps [12:19] ah mount seems to do something :D [12:20] nice.. im working on setting up a single server hosting platform, am playing with vservers as opposed to chroot (ie, just vserver instead of chroot) [12:22] maybe a documentation of it would help.. [12:23] a documentation of what ? [12:23] how to set such a thing up [12:23] i have to document what i do anyway [12:23] set up a vserver? [12:23] no, the complete platform [12:24] well, i dont know then [13:04] loger joined #vserver. [13:17] pflanze (~chris@cc-linux4.ethz.ch) joined #vserver. [13:17] Typo of the day: `vim Nakefile'. [13:58] hello [13:59] oy [13:59] looks like vserver is the cause that on the host, licq doesn't work anymore: [13:59] Unable to load plugin (qt-gui): /usr/local/lib/licq/licq_qt-gui.so: failed to map segment from shared object: Permission denied. [13:59] as it should be [13:59] :) [13:59] huh? [13:59] Nick change: Bertl_oO -> Bertl [14:00] software is so often allowed waay to much just because it is possible [14:01] What unusual thing is it trying to do then? [14:01] @pflanze have you verified on a non vserver kernel or the host system? [14:01] This *is* on the host system. [14:02] inside or outside a vhost [14:02] ? [14:02] pflanze: have you tried a non vserver patched kernel ? [14:02] @pflanze have you verified on a non vserver kernel then? [14:02] context 0 [14:02] Licq worked flawlessly until I patched the kernel with vserver, and set up ssh to bind to eth0,eth1,lo only. [14:03] Maybe I should try to remove the ip binding from ssh for now. [14:03] pflanze: why are you running licq in context 0? [14:03] do you use the tagxid feature (file context tagging)? [14:03] did you apply patches qh0.12/cx0.07/cq0.12? [14:03] no (dunno even what it is) [14:03] no [14:04] just vs1.22 [14:04] pflanze: and not inside a vserver ? [14:04] not inside a vserver [14:04] okay, then I don't see why the behaviour regarding shared libraries should have changed ... [14:04] pflanze: yes, i saw that, but i am asking you... WHY NOT INSIDE A VSERVER ? [14:04] for "history reasons". [14:05] securitywise it makes sense to limit the number of programs running in context 0 [14:05] "i like to get hax0red" [14:05] please, just to make sure, compile a vanilla kernel, with the same config and do _not_ change any other settings ... [14:05] The host is running debian stable, for a long time. The only vserver is running unstable. [14:05] make another vserver [14:05] with / as root? [14:06] Action: pflanze installing licq in the vserver now [14:06] pflanze: no, not with / as root [14:07] pflanze: i'm sure you can copy your licq history to the new vserver [14:08] no (not because of the licq history). I just liked that I can still continue to use my old server as usual. [14:08] What would it change after all? I did ip bindings to all daemons. [14:08] It's cool to be able to edit stuff in the vservers with emacs running on the host. [14:08] So I like having a complete setup on the host. [14:08] pflanze: it would change that if, no WHEN, a hacker breaches your daemon, then they are only inside a vserver [14:09] It's not an ISP's server, this host. [14:09] and ? [14:09] licq is running as a dedicated user anyway. [14:09] do you think hackers only targets ISP's ? [14:09] What does vserver buying me if it's not running as root. [14:09] s/ing// [14:10] extra security if they abuse a local root hole (other than a root kernel hole) [14:10] then they would only breach a vserver, and cant really do anything with a root account [14:11] further more, you could run software inside context 0 that checks and reports to you about the compromise [14:11] Then I'd need to jail everything into it's own vservver. [14:11] no [14:11] just make a huge vserver [14:12] it would be smartest to jail everthing into it's own vserver, but you dont need to [14:12] I'm just not that paranoid at the moment. That's all :) [14:12] Action: TamaPanda is :) [14:12] BTW licq from debian unstable runs inside the vserver. [14:12] What's the use of it all? Does someone need to break into another's workstation machine? [14:13] If you write opensource software, everything already should be publically accessed. :) [14:13] virtuoso: whats the use of what ? [14:13] JonB: Of putting licq into vserver, for example. [14:14] Sorry for RMSing btw. [14:14] :) [14:14] virtuoso: the idea is that if he runs it and other daemons/programs in context 0, then the hole machine is at risk [14:14] virtuoso: if the hackers only get a vserver, software running in context 0 can detech the changes, and fight it [14:15] virtuoso: further more, as long as there is no new kernel root holes, then a root hole that makes you root inside a vserver is mostly useless [14:15] JonB: Even more, I do run tripwire on a production server with vserver patch for almost a year. [14:15] How can I undo ip bindings (in context 0)? something like chbind --ip '*' [14:16] virtuoso: what do you run in context 0 ? [14:16] JonB: But, is there a real need for securing a workstation in this way? [14:16] JonB: On my workstation -- everything except samba and pureftpd. [14:16] virtuoso: all machines need to be secured [14:17] JonB: Why? :) [14:17] JonB is right; it's just a balance between lazyness and usefulness. [14:18] virtuoso: because on the internet, YOUR computer is my neighbor [14:18] I've chbound ssh to some interfaces. Now if I log in as root, I'm already restricted. How can I undo this restriction so I can start ssh without bindings? [14:18] virtuoso: if your computer is compromised, its more dangerous than me [14:18] pflanze: how did you do the restrictions to begin with? [14:19] virtuoso: dangerous to mine [14:19] JonB: I wouldn't say that. Most of the machines are behind firewalls. [14:19] JonB: wrap ssh with v_ssh (chbind --ip eth0 --ip eth1 --ip lo) [14:19] virtuoso: like my ISP's mailserver... it's suddently listed in bl.spamcop.net [14:20] virtuoso: what good is a firewall if you run exposed services? and besides, the biggest hacker threat is from the inside [14:20] virtuoso: menaing, that i can not send email [14:20] JonB: I understand. [14:20] JonB: That's only me, who's from the inside. [14:20] virtuoso: and you can be trojaned [14:21] virtuoso: running no exposed services ? [14:21] JonB: @home? No. Except samba and ftp, but they're in vservers. [14:22] besides, on a side related note... can i hardlink directories, or only files ? [14:23] i think just files, on the same filesystem [14:27] i was looking at that to share /usr in vservers ;) [14:31] It's a good point to share /usr in several vservers. [14:31] Another trick is to use loop device. :) [14:32] Since bind mount afair cannot be read-only. [14:34] wrong! [14:34] Which one? :) [14:34] but you need a patch for that ... [14:34] the ro bind ... [14:34] I'm trying to get the patch into 2.4 and 2.6 for over 3 months ... [14:34] Never saw such a patch. [14:34] And how's that going? [14:35] http://vserver.13thfloor.at/Experimental/patch-2.6.0-test3-bme0.03.diff.bz2 [14:35] http://vserver.13thfloor.at/Experimental/patch-2.4.22-rc2-bme0.03.diff [14:35] Action: virtuoso bows before Bertl [14:35] if you want to try it, I can rediff it for 2.4.23 and 2.6.0-test11 ;) [14:36] I can do it myself. That's not that urgent. [16:00] Nick change: Bertl -> Bertl_oO [16:10] hm [16:10] read only bind? [16:10] wazda? [16:15] Bind mount. [16:15] Since Linux 2.4.0 it is possible to remount part of the file hierarchy [16:15] somewhere else. The call is [16:15] mount --bind olddir newdir [16:15] After this call the same contents is accessible in two places. [16:15] ... from man mount. [16:18] I wish there was an overlay FS still... [16:19] What's that? [16:21] an overlay is where, say, you have one filesystem (such as a CD) and you mount another filesystem on *top* of it [16:21] where no file on the overlay FS exists, you see the file from the overlaid FS 'beneath' it. [16:22] if you try to write, the write goes to a file on the overlay FS... [16:22] it would, actually, be a very good thing for vservers [16:22] you have one FS mounted read-only, then overlay it with individual stuff [16:23] and it'd be *incrediby useful for me, since I boot all my systems from CD :-) [16:23] Hm, nice thing. [16:26] but, the filesystem became obsolete in linux 2.0.x [16:50] you can do this thing with lvm [16:50] and snapshots [16:57] ccooke: port it ? [16:57] lvm does it? [16:57] *interesting* [16:58] ccooke: or, even smarter, hack the VFS layer such that if you have more than one filesystem mounted, it first looks in the last mounted (or first mounted) [17:47] Nick change: unriel -> riel [18:32] Nick change: Bertl_oO -> Bertl [18:33] @maharaja are you sure about lvm in this regard? [18:34] bertl: lvm offers the possibility to create snapshots. you've got a read only snapshot, and another volume where the changed data is written. this is said to be quite handy for backups. i never used it thou [18:35] yeah, but it isn't possible to overlay something on a ro partition, but I understand what you mean ... [18:36] bertl: try this url for examples: http://tldp.org/HOWTO/LVM-HOWTO/snapshots_backup.html [18:38] yeah, but this isn't what overlay filesystems do ... trust me I know it .. see http://vserver.13thfloor.at/TBVFS/ [18:55] JonB (~jon@129.142.112.33) left irc: Ping timeout: 499 seconds [19:21] pflanze (~chris@cc-linux4.ethz.ch) left irc: Ping timeout: 485 seconds [19:25] TamaPanda (~a@193.173.84.237) left irc: [19:47] okay .. cu later ... [19:47] Nick change: Bertl -> Bertl_oO [21:56] zyong (cat@bb220-255-105-230.singnet.com.sg) joined #vserver. [21:57] hello! everyone [00:00] --- Wed Dec 17 2003