-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 tag 329087 +moreinfo thanks
Andrew Lee wrote: > I found the kernel-patch-vserver and util-vserver in sarge can not pass > the testfs.sh script[1] which provide by upstream author. Please tell me how you run this script and what failures you get, also this is a destructive test, correct? > After some more > tests, upstream author discoveryed this is a security hole. > > Here is what I did in my test: > # ls -lda /var/lib/vservers/XXXX/.. Did you first mkdir /var/lib/vservers/XXXX? I assume you did, otherwise you will get an error that XXXX does not exist. Although perhaps XXXX is supposed to be a vserver? I will continue assuming that is the case. > d--------- 8 root root 4096 Sep 19 19:46 /var/lib/vservers/XXXX/../ You would only get a trailing slash if you actually did: # ls -lda /var/lib/vservers/XXXX/../ > # showattr -d /var/lib/vservers/XXXX/.. > ---BU-- /var/lib/vservers/XXXX/.. This is not what I get on my i386 system: # showattr -d /var/lib/vservers/XXXX/.. - ---bui- /big/vservers/XXXX/.. > # lsattr -d /var/lib/vservers/XXXX/.. > ---------------t- /var/lib/vservers/XXXX/.. Also I do not get this on my system: # lsattr -d /var/lib/vservers/XXXX/.. - ----------------- /big/vservers/XXXX/.. Please tell me what architecture you are running, what kernel version you are running, which kernel patch you are running and how you applied and compiled the kernel. Additionally, did you setup the chroot barrier properly? > ssh into a guest and then starting the root exploit[2] inside a guest now > gives: Exploit seems to work. =) sshing into a guest on my system and running that root exploit gives: mkdir baz: Permission denied chroot baz: No such file or directory > And then I can be able to access the host, can be able to read /etc/shadow > and can be able to create /test.txt in the host. I think you may have set something up incorrectly, or perhaps the util-vserver tools did not set the chroot barrier properly. Micah -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDPF559n4qXRzy1ioRAkawAKCtdYHVQnVTeQW2WHUtpZkz7JjRQwCfc3De m8UymU8COYdr8/8axxPJ01g= =gWzU -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
