Re: [Vserver] bugs in new namespace code
On Wed, Mar 24, 2004 at 06:22:09PM +0200, Alex Lyashkov wrote: Hi Herbert I download you experimental code from http://vserver.13thfloor.at/Experimental/ns01 and see you add 2 bugs in namespace switch code. Hi Alex! thanks for looking at the code! You function === int vc_enter_namespace(uint32_t id, void *data) { struct vx_info *vxi; struct namespace *old_ns; if (!vx_check(0, VX_ADMIN)) return -ENOSYS; vxi = find_vx_info(id); if (!vxi) return -ESRCH; if (!vxi-vx_namespace) goto out_put; old_ns = current-namespace; get_namespace(vxi-vx_namespace); current-namespace = vxi-vx_namespace; put_namespace(old_ns); out_put: put_vx_info(vxi); return 0; } = recent patches (like 0.09.25) use the following code, which at least has one bug you mention: ... old_ns = current-namespace; old_fs = current-fs; get_namespace(vxi-vx_namespace); current-namespace = vxi-vx_namespace; current-fs = copy_fs_struct(vxi-vx_fs); put_namespace(old_ns); put_fs_struct(old_fs); ... well... first bug. You _must_ lock task before namespace switch. see include/linux/namaspace.h as example namespace switch code. sounds reasonable, thanks! static inline void exit_namespace(struct task_struct *p) { struct namespace *namespace = p-namespace; if (namespace) { task_lock(p); p-namespace = NULL; task_unlock(p); put_namespace(namespace); } } === second bug. you must adjust 'root' 'altroot' pwd and task-fs struct. if not do it - it`s create security hole. How it do see in namespace.c:chroot_fs_refs and and open.c:sys_chroot. do you think the approach above isn't sufficient, regarding root and altroot, what security hole do you see? i think this references will help you fix code. thank you, Herbert -- Alex Lyashkov [EMAIL PROTECTED] PSoft ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] iptables
I know someone who has a virtuozzo-base hosting account, and it appears that their latest version aloows for iptalbes/ipchains to work somehow. Anyone know how it works, and is this something that might be possible with VServer, perhaps in the future? Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Can't set the new security context
When trying to stop a vserver instance I get the following error: Can't set the new security context see complete error here: -- vserver web2 stop; Stopping the virtual server web2 Server web2 is running ipv4root is now 153.90.199.59 : Invalid argument sleeping 5 seconds Killing all processes --- debian 2.4.25 kernel with vs 1.26 vserver 0.29-2 I used debian newvserver to create the vserver instance. It starts fine, but does not want to stop. I ran herbert's test script http://vserver.13thfloor.at/Stuff/testme.sh and it indicates failure on test number 201. Test Output: --- Linux-VServer Test [V0.07] (C) 2003-2004 H.Poetzl chcontext is working. chbind is working. Linux 2.4.25-vs1.26-grsec18 i686/0.29/0.29 [J] --- [001]# succeeded. [011]# succeeded. [031]# succeeded. [101]# succeeded. [102]# succeeded. [201]# failed. [202]# succeeded. --- The verbose failure is: [201]# chcontext --ctx 100 --flag fakeinit grep 'initpid: 0' /proc/self/status [201]# failed. I thought at first it was because I had include the vserver+grsec patch, so I recompiled a new kernel without any grsecurity options, and it still had the same error. I read through the archives and could not find any more information about this particular error. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Can't set the new security context
Lucas Albers said: When trying to stop a vserver instance I get the following error: Can't set the new security context It looks like when I run the vserver script, it does not define the correct context: Here is the line from my vserver script to stop or start a vserver. isn't it supposed to have a number defining the context right after --ctx? relevant output from running vserver stop webx; --- /usr/sbin/chbind --ip 153.90.xxx.xx --bcast 153.90.xxx.xxx /usr/sbin/chcontext --secure --ctx /usr/lib/vserver/capchroot . /etc/init.d/rc 6 ipv4root is now 153.90.xxx.xx --- -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] 1.26 includes quota patch?
On Thu, Mar 25, 2004 at 01:12:15PM -0700, Lucas Albers wrote: Looking at these directions on including quota support in vserver. http://www.linux-vserver.org/index.php?page=Step-by-Step+Guide paraphrased: - Configure, compile, and install the kernel. Kernel configuration (vserver 1.22 - if no quota support wanted, normal configuration) Block devices/Virtual Root device support - needed for pr. vserver quota File systems/Persistient ContextID? for files - needed for quota, and you need the ADDON quota patch File systems/Quota support Quota suboption/VFS vo quota format support - I enabled the block device option using menuconfig. Do I need to 1.) Install any additional patches for these quota items, if I am using 1.26? if you want per vserver disk limits and quotas on a shared partition (more than one vserver per partition) then you need to add the quota patches ... 2.) Enable these other options in menuconfig? if you add the patches, you have to select a tagging method for the xid file tagging ... HTH, Herbert PS: vs1.27 is out ;) -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Can't set the new security context
On Thu, Mar 25, 2004 at 03:22:12PM -0700, Lucas Albers wrote: When trying to stop a vserver instance I get the following error: Can't set the new security context see complete error here: -- vserver web2 stop; Stopping the virtual server web2 Server web2 is running ipv4root is now 153.90.199.59 : Invalid argument sleeping 5 seconds Killing all processes --- debian 2.4.25 kernel with vs 1.26 vserver 0.29-2 I used debian newvserver to create the vserver instance. It starts fine, but does not want to stop. I ran herbert's test script http://vserver.13thfloor.at/Stuff/testme.sh and it indicates failure on test number 201. Test Output: --- Linux-VServer Test [V0.07] (C) 2003-2004 H.Poetzl chcontext is working. chbind is working. Linux 2.4.25-vs1.26-grsec18 i686/0.29/0.29 [J] --- [001]# succeeded. [011]# succeeded. [031]# succeeded. [101]# succeeded. [102]# succeeded. [201]# failed. [202]# succeeded. --- The verbose failure is: [201]# chcontext --ctx 100 --flag fakeinit grep 'initpid: 0' /proc/self/status [201]# failed. I thought at first it was because I had include the vserver+grsec patch, so I recompiled a new kernel without any grsecurity options, and it still had the same error. 201 is known to fail with stable branch and legacy tools (vserver-0.XX) it works with experimental, and util-vserver tools (0.29.3 for example) I read through the archives and could not find any more information about this particular error. that is the reason, why I do not include the vserver tools on the download page (vs1.26/vs1.27), only the util-vserver ones ... HTH, Herbert -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Can't set the new security context
On Thu, Mar 25, 2004 at 03:59:57PM -0700, Lucas Albers wrote: Lucas Albers said: When trying to stop a vserver instance I get the following error: Can't set the new security context It looks like when I run the vserver script, it does not define the correct context: Here is the line from my vserver script to stop or start a vserver. isn't it supposed to have a number defining the context right after --ctx? yeah, as I said, the tools are broken, send Jacques an email to fix them or get the debian linux-vserver maintainer to do it, or 'just' use the mainstream tools for linux-vserver http://www.13thfloor.at/vserver/s_release/v1.27/ HTH, Herbert relevant output from running vserver stop webx; --- /usr/sbin/chbind --ip 153.90.xxx.xx --bcast 153.90.xxx.xxx /usr/sbin/chcontext --secure --ctx /usr/lib/vserver/capchroot . /etc/init.d/rc 6 ipv4root is now 153.90.xxx.xx --- -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] iptables
, 26.03.2004, 00:06, Gregory (Grisha) Trubetskoy : I know someone who has a virtuozzo-base hosting account, and it appears that their latest version aloows for iptalbes/ipchains to work somehow. Anyone know how it works, and is this something that might be possible with VServer, perhaps in the future? Grisha current vserver - not. Try FreeVPS - her allow use iptables inside vps. -- Alex Lyashkov [EMAIL PROTECTED] PSoft ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver