Re: [Vserver] debian kernel 2.6.8 questions
Hi Herbert, Thank you for your clarifications. I have figured most of the stuff except this chattr: Function not implemented while setting flags on /var/lib/vservers I am pretty sure i boot into the kernel with vserver patch when that happens. Also, is there any documentation i can refer to to convert the legacy config to the new one? TIA! Seph On 5/12/05, Herbert Poetzl [EMAIL PROTECTED] wrote: On Thu, May 12, 2005 at 10:15:41AM +0800, Wai Phang wrote: Hi there, I am running debian sarge kernel 2.6.8 i686. I managed to setup everything and everything works fine except for 3 instances. 1. Whenever I start/stop my guest vserver, i get WARNING: can not find configuration, assuming legacy method which is a good indication that you are using a linux-vserver guest with a legacy config (i.e. single file vs. directory tree) 2. Whenever i stop my guest vserver, i get chcontext: vc_new_s_context(): Invalid argument which is probably caused by using dynamic context ids (which are depreciated) instead of static ones (i.e. no S_CONTEXT= in your config) 3. Occasionally, i get this error with util-vserver. (Using 0.30.204-5) chattr: Function not implemented while setting flags on /var/lib/vservers hmm ... might occasionally be related to not having booted with a vserver enabled kernel? Also, how can i verify my installation is correct. I have run the testme.sh file and everything shows up fine. Finally, do i need to enable Virtual block device for my kernel? not if you are not planning to use quota inside your vserver guest ... Really appreciate someone help me with these. TIA! HTH, Herbert Cheers! Seph ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Est Solaris Oth Mithas ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] ELF Loader Bug exploitable inside a vServer
Hi Folks, serious problem: I read about the new BufferOverflow in the kernel's ELF Loader - it seems that an unprivileged attacker can start process in the kernels context.. Is it possible to gain root inside a vServer ? Is it possible to break out of a vServer with this Bug ? Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Re: cpu counters in 1.9.5
Le Jeudi 12 Mai 2005 06:42, Herbert Poetzl a écrit : what do you want to troubleshoot? what do you expect there? Something like this ? # cat /proc/virtual/49157/sched Token: 0 FillRate: 1 Interval: 4 TokensMin:62 TokensMax: 500 PrioBias: 0 cpu 0: 326247 50001 0 (Typed in a 2.6.9-vs1.9.3 host server) By the way, I saw, a couple of month ago, that someone had designed what looked like a web interface to monitor Vservers, is that project dead ? -- ,, (° Nicolas Costes /|\ IUT de La Roche / Yon ( ^ ) Clé publique: http://www.keyserver.net/ ^ ^ Musique libre: http://musique-legale.info/ pgpJCr0IHkUzI.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Official copy method?
Hello, On 2005.05.12 07:48:27 -0600, [EMAIL PROTECTED] wrote: * Set up vserver barrier sudo showattr -d /vservers/vcrux02 ---bui- /vservers/vcrux02 sudo setattr --barrier /vservers/vcrux02 sudo showattr -d /vservers/vcrux02 ---Bui- /vservers/vcrux02 the barrier flag is supposed to be set on /vservers (i.e. the directory directly above the vserver's root directory). Not sure if setting the flag on the vserver's root itself may cause problems with 2.6 kernels. HTH Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] Official copy method?
On Thu, 12 May 2005 [EMAIL PROTECTED] wrote: * Set up vserver barrier sudo showattr -d /vservers/vcrux02 ---bui- /vservers/vcrux02 sudo setattr --barrier /vservers/vcrux02 sudo showattr -d /vservers/vcrux02 ---Bui- /vservers/vcrux02 Excuse my ignorance, but what does setattr --barrier do exactly? Can't find a man page for it - need to evaluate what it does to see if it's useful in my configureation. Thanks GW -- / Gary Wilson, aka dragon/dragonlord/dragonv480\ .'(_.--. e: [EMAIL PROTECTED] MSN: dragonv480 .--._)`. _ | Skype:dragonv480 ICQ:342070475 AIM:dragonv480 | _ `.( `--' w: http://volvo480.northernscum.org.uk `--' ).' \w: http://www.northernscum.org.uk / ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Official copy method?
On Thu, May 12, 2005 at 03:27:21PM +0100, Gaz Wilson wrote: On Thu, 12 May 2005 [EMAIL PROTECTED] wrote: * Set up vserver barrier sudo showattr -d /vservers/vcrux02 ---bui- /vservers/vcrux02 sudo setattr --barrier /vservers/vcrux02 sudo showattr -d /vservers/vcrux02 ---Bui- /vservers/vcrux02 Excuse my ignorance, but what does setattr --barrier do exactly? Can't find a man page for it - need to evaluate what it does to see if it's useful in my configureation. it protects the chroot against escapes, nothing more nothing less ... best, Herbert Thanks GW -- / Gary Wilson, aka dragon/dragonlord/dragonv480\ .'(_.--. e: [EMAIL PROTECTED] MSN: dragonv480 .--._)`. _ | Skype:dragonv480 ICQ:342070475 AIM:dragonv480 | _ `.( `--' w: http://volvo480.northernscum.org.uk `--' ).' \w: http://www.northernscum.org.uk / ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Official copy method?
On Thu, May 12, 2005 at 08:28:36AM -0600, [EMAIL PROTECTED] wrote: I was originally doing it that way but Herbert recommended this way. I have not experienced any issues so far. what I recommended was to use: setattr --barrier /vservers/vcrux02/.. instead of setattr --barrier /vservers (spot the dots ;) and it is because /path/to/.. is not necessarily the same as /path HTH, Herbert sig -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Björn Steinbrink Sent: Thursday, May 12, 2005 8:21 AM To: vserver@list.linux-vserver.org Subject: Re: [Vserver] Official copy method? Hello, On 2005.05.12 07:48:27 -0600, [EMAIL PROTECTED] wrote: * Set up vserver barrier sudo showattr -d /vservers/vcrux02 ---bui- /vservers/vcrux02 sudo setattr --barrier /vservers/vcrux02 sudo showattr -d /vservers/vcrux02 ---Bui- /vservers/vcrux02 the barrier flag is supposed to be set on /vservers (i.e. the directory directly above the vserver's root directory). Not sure if setting the flag on the vserver's root itself may cause problems with 2.6 kernels. HTH Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] debian kernel 2.6.8 questions
On Thu, May 12, 2005 at 02:12:34PM +0800, Wai Phang wrote: Hi Herbert, Thank you for your clarifications. I have figured most of the stuff except this chattr: Function not implemented while setting flags on /var/lib/vservers okay, after second thought, what about enabling extended attributes for your filesystem? try something like chattr +i /var/lib/vservers (but don't forget to remove it again if that works) HTH, Herbert I am pretty sure i boot into the kernel with vserver patch when that happens. Also, is there any documentation i can refer to to convert the legacy config to the new one? TIA! Seph On 5/12/05, Herbert Poetzl [EMAIL PROTECTED] wrote: On Thu, May 12, 2005 at 10:15:41AM +0800, Wai Phang wrote: Hi there, I am running debian sarge kernel 2.6.8 i686. I managed to setup everything and everything works fine except for 3 instances. 1. Whenever I start/stop my guest vserver, i get WARNING: can not find configuration, assuming legacy method which is a good indication that you are using a linux-vserver guest with a legacy config (i.e. single file vs. directory tree) 2. Whenever i stop my guest vserver, i get chcontext: vc_new_s_context(): Invalid argument which is probably caused by using dynamic context ids (which are depreciated) instead of static ones (i.e. no S_CONTEXT= in your config) 3. Occasionally, i get this error with util-vserver. (Using 0.30.204-5) chattr: Function not implemented while setting flags on /var/lib/vservers hmm ... might occasionally be related to not having booted with a vserver enabled kernel? Also, how can i verify my installation is correct. I have run the testme.sh file and everything shows up fine. Finally, do i need to enable Virtual block device for my kernel? not if you are not planning to use quota inside your vserver guest ... Really appreciate someone help me with these. TIA! HTH, Herbert Cheers! Seph ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Est Solaris Oth Mithas ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] Official copy method?
Herbert, You are correct. Sorry for misquoting you. Now I'm back to my usual state: Dazed and confused Here are my vservers ls -l /vservers/ total 20 drwxr-xr-x 17 root root 4096 Apr 8 11:36 vcrux01 drwxr-xr-x 17 root root 4096 Apr 8 11:36 vcrux02 drwxr-xr-x 17 root root 4096 Apr 22 08:02 vcrux03 Which of the following is correct syntax for the above example? A,B,C,D, or E :) A) setattr --barrier /vservers B) setattr --barrier /vservers/ C) setattr --barrier /vservers/vcrux02 D) setattr --barrier /vservers/vcrux02/ E) setattr --barrier /vservers/vcrux02/.. A and B need be run only once Repeat C,D,E for each vserver I have been using C. Is this an issue? So far things have been running fine. sig -Original Message- From: Herbert Poetzl [mailto:[EMAIL PROTECTED] Sent: Thursday, May 12, 2005 10:45 AM To: Magnuson, Sig Cc: vserver@list.linux-vserver.org Subject: Re: [Vserver] Official copy method? On Thu, May 12, 2005 at 08:28:36AM -0600, [EMAIL PROTECTED] wrote: I was originally doing it that way but Herbert recommended this way. I have not experienced any issues so far. what I recommended was to use: setattr --barrier /vservers/vcrux02/.. instead of setattr --barrier /vservers (spot the dots ;) and it is because /path/to/.. is not necessarily the same as /path HTH, Herbert sig -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Björn Steinbrink Sent: Thursday, May 12, 2005 8:21 AM To: vserver@list.linux-vserver.org Subject: Re: [Vserver] Official copy method? Hello, On 2005.05.12 07:48:27 -0600, [EMAIL PROTECTED] wrote: * Set up vserver barrier sudo showattr -d /vservers/vcrux02 ---bui- /vservers/vcrux02 sudo setattr --barrier /vservers/vcrux02 sudo showattr -d /vservers/vcrux02 ---Bui- /vservers/vcrux02 the barrier flag is supposed to be set on /vservers (i.e. the directory directly above the vserver's root directory). Not sure if setting the flag on the vserver's root itself may cause problems with 2.6 kernels. HTH Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Extra root security
Does anyone have an opinion as to whether disabling root's password within a vserver is worthwhile? Noone logs into a vserver as root via ssh, only from the master using vserver enter, so there's no point in having a root password, so it can be disabled by adding *LCK* in the passwd file on the vserver? Would this break anything (cron etc) Or is it better to set it to something rediculously long, so that anyone obtaining the password file by whatever means could spend a long time trying to crack a useless password? Just a random thought on my way home today ;) Gaz -- / Gary Wilson, aka dragon/dragonlord/dragonv480\ .'(_.--. e: [EMAIL PROTECTED] MSN: dragonv480 .--._)`. _ | Skype:dragonv480 ICQ:342070475 AIM:dragonv480 | _ `.( `--' w: http://volvo480.northernscum.org.uk `--' ).' \w: http://www.northernscum.org.uk / ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Extra root security
On Thu, 12 May 2005, Gaz Wilson wrote: Does anyone have an opinion as to whether disabling root's password within a vserver is worthwhile? Noone logs into a vserver as root via ssh, only from the master using vserver enter, so there's no point in having a root password, so it can be disabled by adding *LCK* in the passwd file on the vserver? Would this break anything (cron etc) IMO only interactive logins are supposed to be affected, but sometimes there are programs not being interested in my opinion. Just create a test vserver and try it, it's too late here to do that myself. -- AA - American Association Against Acronym Abuse Anonymous ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] ELF Loader Bug exploitable inside a vServer
Hello Herbert, serious problem: I read about the new BufferOverflow in the kernel's ELF Loader - it seems that an unprivileged attacker can start process in the kernels context.. details? - which issue? - what kernels are affected? - how does the 'exploit' look like? I reffered to the Announce on heise (http://www.heise.de/newsticker/meldung/59498) - I did not any additional research as I dont have much knowldeg about kernel but this one here sounds serioius as it might allow loading a compromised kernel-space programm by simply running an infected binary Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] cpu counters in 1.9.5
On Thu, 12 May 2005, Herbert Poetzl wrote: okay, adding the 'counters' back should not be too hard, so I take that as 'feature request' ... ... or a 'feature return' :-) Thanks, Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Official copy method?
On Thu, May 12, 2005 at 11:16:49AM -0600, [EMAIL PROTECTED] wrote: Herbert, You are correct. Sorry for misquoting you. Now I'm back to my usual state: Dazed and confused Here are my vservers ls -l /vservers/ total 20 drwxr-xr-x 17 root root 4096 Apr 8 11:36 vcrux01 drwxr-xr-x 17 root root 4096 Apr 8 11:36 vcrux02 drwxr-xr-x 17 root root 4096 Apr 22 08:02 vcrux03 Which of the following is correct syntax for the above example? A,B,C,D, or E :) A) setattr --barrier /vservers B) setattr --barrier /vservers/ C) setattr --barrier /vservers/vcrux02 D) setattr --barrier /vservers/vcrux02/ E) setattr --barrier /vservers/vcrux02/.. A and B need be run only once Repeat C,D,E for each vserver basically C and D are bad ;) A and B are (at least on 'sane' filesystems) identical E is the only one really required ... I have been using C. Is this an issue? So far things have been running fine. well, then I'd say, in your case, no ;) sig -Original Message- From: Herbert Poetzl [mailto:[EMAIL PROTECTED] Sent: Thursday, May 12, 2005 10:45 AM To: Magnuson, Sig Cc: vserver@list.linux-vserver.org Subject: Re: [Vserver] Official copy method? On Thu, May 12, 2005 at 08:28:36AM -0600, [EMAIL PROTECTED] wrote: I was originally doing it that way but Herbert recommended this way. I have not experienced any issues so far. what I recommended was to use: setattr --barrier /vservers/vcrux02/.. instead of setattr --barrier /vservers (spot the dots ;) and it is because /path/to/.. is not necessarily the same as /path HTH, Herbert sig -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Björn Steinbrink Sent: Thursday, May 12, 2005 8:21 AM To: vserver@list.linux-vserver.org Subject: Re: [Vserver] Official copy method? Hello, On 2005.05.12 07:48:27 -0600, [EMAIL PROTECTED] wrote: * Set up vserver barrier sudo showattr -d /vservers/vcrux02 ---bui- /vservers/vcrux02 sudo setattr --barrier /vservers/vcrux02 sudo showattr -d /vservers/vcrux02 ---Bui- /vservers/vcrux02 the barrier flag is supposed to be set on /vservers (i.e. the directory directly above the vserver's root directory). Not sure if setting the flag on the vserver's root itself may cause problems with 2.6 kernels. HTH Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: debian kernel 2.6.8 questions
Hi Herbert, My kernel had extended attributes for ext2 and ext3 compiled in. Anyway, is there any security concern if i can't get that working? Thank you. Cheers! Seph On 5/13/05, Herbert Poetzl [EMAIL PROTECTED] wrote: On Thu, May 12, 2005 at 05:26:11PM -0700, Wai Phang wrote: Hi Herbert, chattr +i /var/lib/vservers gave me the same error as well. well, then you should (and probably figured already) compile in/enable extended attributes for that filesystem of yours (to which /var/lib/vservers belongs) best, Herbert Cheers! Seph On 5/12/05, Herbert Poetzl [EMAIL PROTECTED] wrote: On Thu, May 12, 2005 at 02:12:34PM +0800, Wai Phang wrote: Hi Herbert, Thank you for your clarifications. I have figured most of the stuff except this chattr: Function not implemented while setting flags on /var/lib/vservers okay, after second thought, what about enabling extended attributes for your filesystem? try something like chattr +i /var/lib/vservers (but don't forget to remove it again if that works) HTH, Herbert I am pretty sure i boot into the kernel with vserver patch when that happens. Also, is there any documentation i can refer to to convert the legacy config to the new one? TIA! Seph On 5/12/05, Herbert Poetzl [EMAIL PROTECTED] wrote: On Thu, May 12, 2005 at 10:15:41AM +0800, Wai Phang wrote: Hi there, I am running debian sarge kernel 2.6.8 i686. I managed to setup everything and everything works fine except for 3 instances. 1. Whenever I start/stop my guest vserver, i get WARNING: can not find configuration, assuming legacy method which is a good indication that you are using a linux-vserver guest with a legacy config (i.e. single file vs. directory tree) 2. Whenever i stop my guest vserver, i get chcontext: vc_new_s_context(): Invalid argument which is probably caused by using dynamic context ids (which are depreciated) instead of static ones (i.e. no S_CONTEXT= in your config) 3. Occasionally, i get this error with util-vserver. (Using 0.30.204-5) chattr: Function not implemented while setting flags on /var/lib/vservers hmm ... might occasionally be related to not having booted with a vserver enabled kernel? Also, how can i verify my installation is correct. I have run the testme.sh file and everything shows up fine. Finally, do i need to enable Virtual block device for my kernel? not if you are not planning to use quota inside your vserver guest ... Really appreciate someone help me with these. TIA! HTH, Herbert Cheers! Seph ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Est Solaris Oth Mithas ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Est Solaris Oth Mithas ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Est Solaris Oth Mithas ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] ELF Loader Bug exploitable inside a vServer
Herbert Poetzl wrote: On Thu, May 12, 2005 at 01:43:09PM +0200, Oliver Welter wrote: serious problem: I read about the new BufferOverflow in the kernel's ELF Loader - it seems that an unprivileged attacker can start process in the kernels context.. details? - which issue? Core dump privilege escallation. http://isec.pl/vulnerabilities/isec-0023-coredump.txt - what kernels are affected? Almost all 2.2, 2.4, 2.6 up to the *most* recent. - how does the 'exploit' look like? Specially crafted ELF binary can be used to overwrite kernel memory on coredump. Is it possible to break out of a vServer with this Bug ? depends, if you can create kernel processess, they certainly can circumvent _any_ kernel side protection so if done probably, I'd say so ... Probably yes. Hotfix as suggested by the paper: disable coredumps. Michal Ludvig -- * Personal homepage: http://www.logix.cz/michal ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Official copy method?
Herbert Poetzl wrote: and it is because /path/to/.. is not necessarily the same as /path Just in case people are not sure why the above might be true: If /path/dir is be a symlink to /bigstorage/path/dir, then /path/dir/.. is actually /bigstorage/path and not /path. The shell should remember how you got to a particular spot in the directory tree, but any children that are spawned from the shell might not. Regards Darryl ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: debian kernel 2.6.8 questions
On Fri, May 13, 2005 at 10:42:04AM +0800, Wai Phang wrote: Hi Herbert, My kernel had extended attributes for ext2 and ext3 compiled in. Anyway, is there any security concern if i can't get that working? Thank you. well, yes, actually it means that the extened attributes do not work on this path, so the barrier attribute used to protect the chroot (not really required with namespaces) is very likely to be missing too ... best, Herbert Cheers! Seph On 5/13/05, Herbert Poetzl [EMAIL PROTECTED] wrote: On Thu, May 12, 2005 at 05:26:11PM -0700, Wai Phang wrote: Hi Herbert, chattr +i /var/lib/vservers gave me the same error as well. well, then you should (and probably figured already) compile in/enable extended attributes for that filesystem of yours (to which /var/lib/vservers belongs) best, Herbert Cheers! Seph On 5/12/05, Herbert Poetzl [EMAIL PROTECTED] wrote: On Thu, May 12, 2005 at 02:12:34PM +0800, Wai Phang wrote: Hi Herbert, Thank you for your clarifications. I have figured most of the stuff except this chattr: Function not implemented while setting flags on /var/lib/vservers okay, after second thought, what about enabling extended attributes for your filesystem? try something like chattr +i /var/lib/vservers (but don't forget to remove it again if that works) HTH, Herbert I am pretty sure i boot into the kernel with vserver patch when that happens. Also, is there any documentation i can refer to to convert the legacy config to the new one? TIA! Seph On 5/12/05, Herbert Poetzl [EMAIL PROTECTED] wrote: On Thu, May 12, 2005 at 10:15:41AM +0800, Wai Phang wrote: Hi there, I am running debian sarge kernel 2.6.8 i686. I managed to setup everything and everything works fine except for 3 instances. 1. Whenever I start/stop my guest vserver, i get WARNING: can not find configuration, assuming legacy method which is a good indication that you are using a linux-vserver guest with a legacy config (i.e. single file vs. directory tree) 2. Whenever i stop my guest vserver, i get chcontext: vc_new_s_context(): Invalid argument which is probably caused by using dynamic context ids (which are depreciated) instead of static ones (i.e. no S_CONTEXT= in your config) 3. Occasionally, i get this error with util-vserver. (Using 0.30.204-5) chattr: Function not implemented while setting flags on /var/lib/vservers hmm ... might occasionally be related to not having booted with a vserver enabled kernel? Also, how can i verify my installation is correct. I have run the testme.sh file and everything shows up fine. Finally, do i need to enable Virtual block device for my kernel? not if you are not planning to use quota inside your vserver guest ... Really appreciate someone help me with these. TIA! HTH, Herbert Cheers! Seph ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Est Solaris Oth Mithas ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Est Solaris Oth Mithas ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Est Solaris Oth Mithas ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] ELF Loader Bug exploitable inside a vServer
On Fri, May 13, 2005 at 02:43:50PM +1200, Michal Ludvig wrote: Herbert Poetzl wrote: On Thu, May 12, 2005 at 01:43:09PM +0200, Oliver Welter wrote: serious problem: I read about the new BufferOverflow in the kernel's ELF Loader - it seems that an unprivileged attacker can start process in the kernels context.. details? - which issue? Core dump privilege escallation. http://isec.pl/vulnerabilities/isec-0023-coredump.txt - what kernels are affected? Almost all 2.2, 2.4, 2.6 up to the *most* recent. - how does the 'exploit' look like? Specially crafted ELF binary can be used to overwrite kernel memory on coredump. Is it possible to break out of a vServer with this Bug ? depends, if you can create kernel processess, they certainly can circumvent _any_ kernel side protection so if done probably, I'd say so ... Probably yes. Hotfix as suggested by the paper: disable coredumps. yup, but better upgrade to 2.6.11.9-vs2.0-rc1 ;) best, Herbert Michal Ludvig -- * Personal homepage: http://www.logix.cz/michal ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] ELF Loader Bug exploitable inside a vServer
yup, but better upgrade to 2.6.11.9-vs2.0-rc1 ;) As I use this on *very* vital production machines - anyone here who can tell me if its working ;) Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
