Hi Andrew On Mon, Oct 03, 2005 at 12:18:47AM +0800, Andrew Lee wrote: > > ?b 2005/10/2 ?W?? 5:52 ???AOla Lundqvist ?g???G > > >I have now tested on one of my systems and that I have a security > >problem there. > >On the other system (2.4.26 + grsec) the problem do not exist. So > >I'm not > >sure if I can confim or deny this. > > How did you tested and found what kind of security problem? > I assume you found you couldn't pass the test 109,121 of testfs.sh > script, right?
Actually I run the rootesc program and saw that it was possible to escape. > Let me quote the explanation from upstream: > <quote> > 23:51 < Bertl> 109 and 121 indicate that the barrier is not working ... > 23:52 < Bertl> -> minor issue with namespaces, major chroot security > issue with > legacy guests > </quote> > > > >It would be really good if you could install the sarge util-vserver > >on the > >sid kernel-patch-vserver + linux-source-2.6.12 system to see if > >this is a > >problem with util-vserver or with the kernel patches. > > > I tested that several days ago, I was upgraded kernel on my system > first and then I got the same fails from the test of testfs.sh script > again. > I have upgraded to 0.30.208-2, I still got the same fails on i386, > but no errors on powerpc after I rebuilt the util-vserver package > from source. Ahh now I see. Missed that you used different architectures in your testing. > Here is how I did the test and what I got on an i386 machine: > # testfs.sh -l -t -D /dev/loop4 -M /mnt > Linux-VServer FS Test [V0.09] Copyright (C) 2005 H.Poetzl > Linux 2.6.12-6vs2-p4smp i686/0.30.208 > VCI: 0002:0001 273 03000076 (ugid24) > --- > testing ext2 filesystem ... > [000]. xattr related tests ... > [101]. [102]. [103]* [104]* [106]. [108]. [109]* > [112]. [113]* [114]* [115]. [116]. [117]. [118]. [119]* > [121]* [122]* [123]* [124]* [199]. > --- > testing ext3 filesystem ... > [000]. xattr related tests ... > [101]. [102]. [103]* [104]* [106]. [108]. [109]* > [112]. [113]* [114]* [115]. [116]. [117]. [118]. [119]* > [121]* [122]* [123]* [124]* [199]. > --- > testing xfs filesystem ... > [000]* (xfs format failed) > --- > testing reiser filesystem ... > [000]* (reiser format failed) > --- > testing jfs filesystem ... > [000]* (jfs format failed) Ok, thanks. I wonder why it do not fail after your rebuild. Maybe it pass only if I compile on a vserver patched system... Regards, // Ola > -Andrew > -- --------------------- Ola Lundqvist --------------------------- / [EMAIL PROTECTED] Annebergsslingan 37 \ | [EMAIL PROTECTED] 654 65 KARLSTAD | | +46 (0)54-10 14 30 +46 (0)70-332 1551 | | http://www.opal.dhs.org UIN/icq: 4912500 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --------------------------------------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
