Re: [Vserver] bugs in new namespace code

2004-03-25 Thread Herbert Poetzl 
On Wed, Mar 24, 2004 at 06:22:09PM +0200, Alex Lyashkov wrote:
 Hi Herbert
 
 I download you experimental code from  
 http://vserver.13thfloor.at/Experimental/ns01
 and see you add 2 bugs in namespace switch code.

Hi Alex!

thanks for looking at the code!

 You function
 ===
 int vc_enter_namespace(uint32_t id, void *data)
 {
 struct vx_info *vxi;
 struct namespace *old_ns;
 
 if (!vx_check(0, VX_ADMIN))
 return -ENOSYS;
 
 vxi = find_vx_info(id);
 if (!vxi)
 return -ESRCH;
 
 if (!vxi-vx_namespace)
 goto out_put;
 
 old_ns = current-namespace;
 get_namespace(vxi-vx_namespace);
 current-namespace = vxi-vx_namespace;
 put_namespace(old_ns);
 
 out_put:
 put_vx_info(vxi);
 return 0;
 }
 =

recent patches (like 0.09.25) use the following code,
which at least has one bug you mention:

 ...
old_ns = current-namespace;
old_fs = current-fs;
get_namespace(vxi-vx_namespace);
current-namespace = vxi-vx_namespace;
current-fs = copy_fs_struct(vxi-vx_fs);
put_namespace(old_ns);
put_fs_struct(old_fs);
 ...


 well...
 first bug. You _must_ lock task before namespace switch.
 see include/linux/namaspace.h as example namespace switch code.

sounds reasonable, thanks!

 static inline void exit_namespace(struct task_struct *p)
 {
 struct namespace *namespace = p-namespace;
 if (namespace) {
 task_lock(p);
 p-namespace = NULL;
 task_unlock(p);
 put_namespace(namespace);
 }
 }
 
 ===
 second bug. you must adjust 'root'  'altroot'  pwd and task-fs
 struct. if not do it - it`s create security hole.
 How it do see in 
 namespace.c:chroot_fs_refs and and open.c:sys_chroot.

do you think the approach above isn't sufficient,
regarding root and altroot, what security hole
do you see?

 i think this references will help you fix code.

thank you,
Herbert

 -- 
 Alex Lyashkov [EMAIL PROTECTED]
 PSoft
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

[Vserver] iptables

2004-03-25 Thread Gregory (Grisha) Trubetskoy 

I know someone who has a virtuozzo-base hosting account, and it appears
that their latest version aloows for iptalbes/ipchains to work somehow.

Anyone know how it works, and is this something that might be possible
with VServer, perhaps in the future?

Grisha
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

[Vserver] Can't set the new security context

2004-03-25 Thread Lucas Albers 
When trying to stop a vserver instance I get the following error:
Can't set the new security context

see complete error here:
--
vserver web2 stop;
Stopping the virtual server web2
Server web2 is running
ipv4root is now 153.90.199.59
: Invalid argument
sleeping 5 seconds
Killing all processes
---
debian
2.4.25 kernel with vs 1.26
vserver 0.29-2
I used debian newvserver to create the vserver instance.
It starts fine, but does not want to stop.

I ran herbert's test script
http://vserver.13thfloor.at/Stuff/testme.sh
and it indicates failure on test number 201.

Test Output:
---
Linux-VServer Test [V0.07] (C) 2003-2004 H.Poetzl
chcontext is working.
chbind is working.
Linux 2.4.25-vs1.26-grsec18 i686/0.29/0.29 [J]
---
[001]# succeeded.
[011]# succeeded.
[031]# succeeded.
[101]# succeeded.
[102]# succeeded.
[201]# failed.
[202]# succeeded.
---

The verbose failure is:
[201]# chcontext --ctx 100 --flag fakeinit grep 'initpid: 0'
/proc/self/status
[201]# failed.


I thought at first it was because I had include the vserver+grsec patch,
so I recompiled a new kernel without any grsecurity options, and it still
had the same error.

I read through the archives and could not find any more information about
this particular error.
-- 
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Can't set the new security context

2004-03-25 Thread Lucas Albers 

Lucas Albers said:
 When trying to stop a vserver instance I get the following error:
 Can't set the new security context

It looks like when I run the vserver script, it does not define the
correct context:
Here is the line from my vserver script to stop or start a vserver.
isn't it supposed to have a number defining the context right after --ctx?

relevant output from running vserver stop webx;

---
/usr/sbin/chbind --ip 153.90.xxx.xx --bcast 153.90.xxx.xxx
/usr/sbin/chcontext --secure --ctx /usr/lib/vserver/capchroot .
/etc/init.d/rc 6
ipv4root is now 153.90.xxx.xx
---

-- 
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] 1.26 includes quota patch?

2004-03-25 Thread Herbert Poetzl 
On Thu, Mar 25, 2004 at 01:12:15PM -0700, Lucas Albers wrote:
 Looking at these directions on including quota support in vserver.
 http://www.linux-vserver.org/index.php?page=Step-by-Step+Guide
 paraphrased:
 -
 Configure, compile, and install the kernel.
 Kernel configuration (vserver 1.22 - if no quota support wanted, normal
 configuration)
 Block devices/Virtual Root device support - needed for pr. vserver quota
 File systems/Persistient ContextID? for files - needed for quota, and you
 need the ADDON quota patch
 File systems/Quota support
 Quota suboption/VFS vo quota format support
 -
 I enabled the block device option using menuconfig.
 Do I need to
 1.) Install any additional patches for these quota items, 
 if I am using 1.26?

if you want per vserver disk limits and quotas on a 
shared partition (more than one vserver per partition)
then you need to add the quota patches ...

 2.) Enable these other options in menuconfig?

if you add the patches, you have to select a tagging
method for the xid file tagging ...

HTH,
Herbert

PS: vs1.27 is out ;)

 -- 
 Luke Computer Science System Administrator
 Security Administrator,College of Engineering
 Montana State University-Bozeman,Montana
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Can't set the new security context

2004-03-25 Thread Herbert Poetzl 
On Thu, Mar 25, 2004 at 03:22:12PM -0700, Lucas Albers wrote:
 When trying to stop a vserver instance I get the following error:
 Can't set the new security context
 
 see complete error here:
 --
 vserver web2 stop;
 Stopping the virtual server web2
 Server web2 is running
 ipv4root is now 153.90.199.59
 : Invalid argument
 sleeping 5 seconds
 Killing all processes
 ---
 debian
 2.4.25 kernel with vs 1.26
 vserver 0.29-2
 I used debian newvserver to create the vserver instance.
 It starts fine, but does not want to stop.
 
 I ran herbert's test script
 http://vserver.13thfloor.at/Stuff/testme.sh
 and it indicates failure on test number 201.
 
 Test Output:
 ---
 Linux-VServer Test [V0.07] (C) 2003-2004 H.Poetzl
 chcontext is working.
 chbind is working.
 Linux 2.4.25-vs1.26-grsec18 i686/0.29/0.29 [J]
 ---
 [001]# succeeded.
 [011]# succeeded.
 [031]# succeeded.
 [101]# succeeded.
 [102]# succeeded.
 [201]# failed.
 [202]# succeeded.
 ---
 
 The verbose failure is:
 [201]# chcontext --ctx 100 --flag fakeinit grep 'initpid: 0'
 /proc/self/status
 [201]# failed.

 I thought at first it was because I had include the vserver+grsec patch,
 so I recompiled a new kernel without any grsecurity options, and it still
 had the same error.

201 is known to fail with stable branch and legacy tools
(vserver-0.XX) it works with experimental, and util-vserver
tools (0.29.3 for example)

 I read through the archives and could not find any more information about
 this particular error.

that is the reason, why I do not include the vserver tools
on the download page (vs1.26/vs1.27), only the util-vserver
ones ...

HTH,
Herbert

 -- 
 Luke Computer Science System Administrator
 Security Administrator,College of Engineering
 Montana State University-Bozeman,Montana
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Can't set the new security context

2004-03-25 Thread Herbert Poetzl 
On Thu, Mar 25, 2004 at 03:59:57PM -0700, Lucas Albers wrote:
 
 Lucas Albers said:
  When trying to stop a vserver instance I get the following error:
  Can't set the new security context
 
 It looks like when I run the vserver script, it does not define the
 correct context:
 Here is the line from my vserver script to stop or start a vserver.
 isn't it supposed to have a number defining the context right after --ctx?

yeah, as I said, the tools are broken, send Jacques an 
email to fix them or get the debian linux-vserver maintainer
to do it, or 'just' use the mainstream tools for linux-vserver

http://www.13thfloor.at/vserver/s_release/v1.27/

HTH,
Herbert

 relevant output from running vserver stop webx;
 
 ---
 /usr/sbin/chbind --ip 153.90.xxx.xx --bcast 153.90.xxx.xxx
 /usr/sbin/chcontext --secure --ctx /usr/lib/vserver/capchroot .
 /etc/init.d/rc 6
 ipv4root is now 153.90.xxx.xx
 ---
 
 -- 
 Luke Computer Science System Administrator
 Security Administrator,College of Engineering
 Montana State University-Bozeman,Montana
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] iptables

2004-03-25 Thread Alex Lyashkov 
 , 26.03.2004,  00:06, Gregory (Grisha) Trubetskoy :
 I know someone who has a virtuozzo-base hosting account, and it appears
 that their latest version aloows for iptalbes/ipchains to work somehow.
 
 Anyone know how it works, and is this something that might be possible
 with VServer, perhaps in the future?
 
 Grisha
current vserver - not. 
Try FreeVPS - her allow use iptables inside vps.

-- 
Alex Lyashkov [EMAIL PROTECTED]
PSoft
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver