Re: [Vserver] 2.6.21.5-vs2.2.0-rc3-grsec2.1.10
waauw, my english is terrible, excuse me for that... but the message is clear i guess ;) harry wrote: hey all, because a lot of people asked me where it was... here i decided to make a patch for the latest kernel version aswell... with all the latest patches i could find :) here it is: http://people.linux-vserver.org/~harry/patch-2.6.21.5-vs2.2.0-rc3-grsec2.1.10-20070620.diff it's not well tested yet... but it should work as good as... well.. anything else. if there are any problems that are related to this patch... let me know (on irc or mail or whatever ;)) good luck with it, hope you will enjoy it! greetz, -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://people.linux-vserver.org/~harry Don't steal - the government hates competition. Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] 2.6.21.5-vs2.2.0-rc3-grsec2.1.10
hey all, because a lot of people asked me where it was... here i decided to make a patch for the latest kernel version aswell... with all the latest patches i could find :) here it is: http://people.linux-vserver.org/~harry/patch-2.6.21.5-vs2.2.0-rc3-grsec2.1.10-20070620.diff it's not well tested yet... but it should work as good as... well.. anything else. if there are any problems that are related to this patch... let me know (on irc or mail or whatever ;)) good luck with it, hope you will enjoy it! greetz, -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://people.linux-vserver.org/~harry Don't steal - the government hates competition. Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] VS-GRSec combined patch for 2.6.20 kernel?
heya, i don't really know... a lot of people ask me. i'm not too fond of the latest 2.6.20 kernel (they're at 2.6.20.11 allready). reasons: they introduced KVM, and kernel programmers tend to make a mess of new code. so i don't really trust the security of that (yet) since the grsec patches i add , are primarily to enhance security, i'm not too fond of the latest and greatest kernel. there is no official release for grsec+pax for 2.6.20, i could use a "beta" version, but ... well... that's just beta :) so my plan was to wait for a release of grsec/pax, then do a new merge/patch/fix for that kernel! do you need a 2.6.21 kernel badly? or is the 2.6.19.7 good enough for now? i won't do a 2.6.20 patch i think ;) the next one will be 2.6.21.x (they allready have the 2.6.21.1, who knows what bugs occur tomorrow.. ;)) greetz, Lane Whittaker wrote: I don't see a combined "vs2.2.0-grsec2.1.10" for a 2.6.20 kernel on the Wiki page. I see from the GRSec list that they have a patch out for the 2.6.21 kernel. Prior experience has shown me that patching them separately doesn't work regardless of order. Is there a combined patch for any 2.6.2x kernel I just haven't found somewhere? If not, any plans to produce one in the near future? -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://people.linux-vserver.org/~harry Nobody notices when things go right. Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] routing: 2 different virtual subnets on the same machine
that's essentially my point :) i have the host on my management network all the virtual hosts are on different networks (with different routing preferences). i don't want to add it manually for all servers, so i put this in .default somewhere, so it starts routing for all ip addresses of the vserver depending on the source, it calculates the network/gateway, adds special routes for those networks it works kinda neat, the only "disadvantage": it gives warnings when you add a second host to the same network. why? the route for that network is allready defined! so it doesn't really matter that you redifine it, it will just warn you about that :) safe to ignore that ;) (i COULD do that in the script, but then i wouldn't know if something went REALLY wrong... wich never happened before on my systems, but you never know) one other sollution is to make a "universal" routing script per server instead of per network anyway, it works seemless on all our servers, so i love it ;) let me know if you make enhancments or so... that's why it's all open source ;) greetz, and have fun with them! Chuck wrote: wow. fast glance so i am not positive, but these look like they will allow you to add a network/ip to the host routing tables via only a guest start without having to add the basic config into the host!! this means that if i decide to bring up 192.168.20.0/24 having never had it on the host before, i dont have to add it to the host setups, the virtual server using that network will add it for me... way cool! :) thanks! never even thought of this possibility. -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://people.linux-vserver.org/~harry Nobody notices when things go right. Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] OCS Inventory
in the same sense... disable all firewalls, open up your telnet port and allow passwordless rootlogin on all your machines or pull the plug those are the only possibilities, right? Daniel W. Crompton wrote: Seriously if you care about your guest being secure you make sure that the host doesn't have physical network access. If you want to be able to run certain programs in a guest you sometimes need rights which are available to only the host. That's the whole point of caps. I want to make it clear that I have no idea what the OCS program does, but if you want to run it in a guest then you need to be able to access /dev/mem. Making the guest insecure is the price you have to pay. Having network access for a machine means risking remote attacks it's the price you pay. I hardly run anything on my host systems besides syslog and sshd, practically everything runs in a guest. Some guests have caps that give it almost full access to the host system on other guests you don't even have write access to the disk or a compiler. (It logs to the host's syslog anyway.) The level of access you need in a guest determines who access is given to, not whether you do something or not. The only thing you "absolutely never ever" want to do is give somebody you don't trust physical access to the host, anything else is a question of need. -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://people.linux-vserver.org/~harry Nobody notices when things go right. Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Routing in VServers
heya, i don't think this is what you're looking for, but i put my firewalling and routing scripts (pre-start and post-stop) online : http://people.linux-vserver.org/~harry/scripts/ hope you find some use in it... greetz, Asier Baranguán wrote: Hi all! Networking & firewall are not my strong points, so perhaps this could sound a silly question. I've five linux VServers, each with it's own _real_ IP address (not 192.168.x.y, 10.x, etc). Each one has it's own services but I'd like to close access from outside to some ports, but allow full communication between the guests. The guests have valid IP addresses so I think [DS]NAT is not needed. I've readed that this must be done in the host, but I'm lost because my knowledge about iptables is nearly zero. Could someone point me to some URL or doc? -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://people.linux-vserver.org/~harry thinking always leads to conclusions... and those can be extremely dangerous -- me ;) Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Compiling 2.6.19.1 with vs+grsec
i couldn't wait... it's done the patch is fixed (the "struct" was removed one way or another :S) btw. do you really need legacy stuff? ;) grtz, Johan Marcusson wrote: Hi I just tried compiling kernel 2.6.19.1 patched with vs2.2.0-rc6-grsec2.1.9 (latest "upcoming" stable). I doesn't seem to work very well however, I get this error message: saturn linux-2.6.19.1 # make all && make modules_install CHK include/linux/version.h CHK include/linux/utsrelease.h CHK include/linux/compile.h CC fs/proc/array.o fs/proc/array.c: In function ‘proc_pid_status’: fs/proc/array.c:329: error: ‘nx_info’ undeclared (first use in this function) fs/proc/array.c:329: error: (Each undeclared identifier is reported only once fs/proc/array.c:329: error: for each function it appears in.) fs/proc/array.c:329: error: ‘nxi’ undeclared (first use in this function) fs/proc/array.c:331: warning: ISO C90 forbids mixed declarations and code make[2]: *** [fs/proc/array.o] Error 1 make[1]: *** [fs/proc] Error 2 make: *** [fs] Error 2 I get this error both with GCC 4.1.1 and GCC 3.4.6 Anyone else having the same problem? / Johan Marcusson ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://people.linux-vserver.org/~harry thinking always leads to conclusions... and those can be extremely dangerous -- me ;) Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Compiling 2.6.19.1 with vs+grsec
i will fix this monday! it will also contain grsec 2.1.10 which is released today and it will be for 2.6.19.2 ;) 2 more days... ;) grtz, Johan Marcusson wrote: Hi I just tried compiling kernel 2.6.19.1 patched with vs2.2.0-rc6-grsec2.1.9 (latest "upcoming" stable). I doesn't seem to work very well however, I get this error message: saturn linux-2.6.19.1 # make all && make modules_install CHK include/linux/version.h CHK include/linux/utsrelease.h CHK include/linux/compile.h CC fs/proc/array.o fs/proc/array.c: In function ‘proc_pid_status’: fs/proc/array.c:329: error: ‘nx_info’ undeclared (first use in this function) fs/proc/array.c:329: error: (Each undeclared identifier is reported only once fs/proc/array.c:329: error: for each function it appears in.) fs/proc/array.c:329: error: ‘nxi’ undeclared (first use in this function) fs/proc/array.c:331: warning: ISO C90 forbids mixed declarations and code make[2]: *** [fs/proc/array.o] Error 1 make[1]: *** [fs/proc] Error 2 make: *** [fs] Error 2 I get this error both with GCC 4.1.1 and GCC 3.4.6 Anyone else having the same problem? -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://people.linux-vserver.org/~harry thinking always leads to conclusions... and those can be extremely dangerous -- me ;) Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] grsec + vserver
Quoting Sébastien CRAMATTE <[EMAIL PROTECTED]>: > I haven't seen file size ... so I supose that I don't need to apply > nothing before ! > Sorry for the disturb :( yes, you take the vanilla kernel from kernel.org and apply the patch, then you have a grsec + vserver kernel good luck with it -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org "Work hard and do your best, it'll make it easier for the rest" -- Garfield Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] grsec + vserver
hey all, i know it's been a while... but!!! http://harry.ulyssis.org/vserver/patch-2.6.16.11-vs2.0.2-rc18-grsec2.1.9.diff we've got ourselves a new one... and as requested, with a stable vserver patch. the grsec part is also pretty stable btw... talked to the grsec/pax developers about it :) so... have fun with it all... and please let me know if there are any problems... greetz, (ps. webserver might be down when you read this, but it will be up again very soon (i hope ;)) -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org "Work hard and do your best, it'll make it easier for the rest" -- Garfield Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Re: About GRSecurity y VSERVER
Quoting Sébastien CRAMATTE <[EMAIL PROTECTED]>: > Hello > > Could you send me a GRSecurity configuration for a 2.6 kernel ? i put 2 config files of a running system online... (both adapted to work with vserver and vmware server ;)) > PS: Do you thing a patch for 2.6.15 and grsecurity 2.1.8 + > vserver > ? I seems that grsecurity 2.1.9 is not annouced yet ? atm, i'm waiting for spender to release 2.1.9... there is one allready, but i don't know how stable it is yet (first bugs are fixed). but i will probably try it this week, and then also patch it for vserver, see if i can get them to work together piecefully ;) i'll have to talk to bertl which vserver patch will be the best to use. i won't make a grsec + vserver patch for 2.6.15, for the simple reason: there is no grsec for 2.6.15, and there never will be. i could off course port grsec to 2.6.15, but that would take a lot of time, and it's just not really worth it imho... so i'll just use official releases for both grsec and vserver... -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org "Work hard and do your best, it'll make it easier for the rest" -- Garfield Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver