Re: [Vserver] unable to run ntp on vserver kernel / drop root privileges not allowed
On Fri, Apr 01, 2005 at 07:31:07PM +0200, Oliver Welter wrote: > Hi Herbert, > > >>>hmm - so I think I have to mod the sources as I cant find appropriate > >>>kernel config params... > > > >check for security modules and capabilities in particular > > > Can you tell me what I must look for ? > If you mean "kernel" modules - i have a monolithic one - so no modules > are loaded at all CONFIG_SECURITY=y CONFIG_SECURITY_CAPABILITIES=y or CONFIG_SECURITY=n both will use the capabilities compiled in ... > >>So, that's not, what I think... I encountered the same problem, but on the > >>"normal" kernels 2.6.8/9/10. The solve was to 'modprobe capabilities' or > >>'modprobe realtime'. But if ntpd runs in the "main" context, I think, it > >>is not > > > >this diagnosis sounds very accurate to me ... > >I would double check if capabilities are loaded/compiled in > > > >maybe you are in deep trouble and do not even know it ;) > > as we use vserver only for process separeratin due to better maintenance > it will not affect operational security - but good hint anyway it will, it will. trust me ... most checks in linux-vserver kernel code are based on linux capabilities, so they are a requirement, not some kind of addon/feature ... best, Herbert > Oliver > -- > Diese Nachricht wurde digital unterschrieben > oliwel's public key: http://www.oliwel.de/oliwel.crt > Basiszertifikat: http://www.ldv.ei.tum.de/page72 > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] unable to run ntp on vserver kernel / drop root privileges not allowed
Hi Herbert, hmm - so I think I have to mod the sources as I cant find appropriate kernel config params... check for security modules and capabilities in particular Can you tell me what I must look for ? If you mean "kernel" modules - i have a monolithic one - so no modules are loaded at all So, that's not, what I think... I encountered the same problem, but on the "normal" kernels 2.6.8/9/10. The solve was to 'modprobe capabilities' or 'modprobe realtime'. But if ntpd runs in the "main" context, I think, it is not this diagnosis sounds very accurate to me ... I would double check if capabilities are loaded/compiled in maybe you are in deep trouble and do not even know it ;) as we use vserver only for process separeratin due to better maintenance it will not affect operational security - but good hint anyway Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] unable to run ntp on vserver kernel / drop root privileges not allowed
On Fri, Apr 01, 2005 at 07:06:19PM +0400, Peter V. Saveliev wrote: > > > > does ntpd start on this kernel in xid=0, that is, _not_ in virtual > > > context? > > > > yes the ntp is running in the "main" context > > > > > I'm not sure, but If it doesn't, see "capabilities" module or like that -- > > > "realtime" etc, depends on the kernel configuration. > > > > hmm - so I think I have to mod the sources as I cant find appropriate > > kernel config params... check for security modules and capabilities in particular > > > So, that's not, what I think... I encountered the same problem, but on the > "normal" kernels 2.6.8/9/10. The solve was to 'modprobe capabilities' or > 'modprobe realtime'. But if ntpd runs in the "main" context, I think, it is > not this diagnosis sounds very accurate to me ... I would double check if capabilities are loaded/compiled in maybe you are in deep trouble and do not even know it ;) best, Herbert > the same case. Maybe, you've to look around capabilities(7) to get appropriate > CAP_* in the context? > > -- > Peter V. Saveliev > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] unable to run ntp on vserver kernel / drop root privileges not allowed
> > does ntpd start on this kernel in xid=0, that is, _not_ in virtual > > context? > > yes the ntp is running in the "main" context > > > I'm not sure, but If it doesn't, see "capabilities" module or like that -- > > "realtime" etc, depends on the kernel configuration. > > hmm - so I think I have to mod the sources as I cant find appropriate > kernel config params... So, that's not, what I think... I encountered the same problem, but on the "normal" kernels 2.6.8/9/10. The solve was to 'modprobe capabilities' or 'modprobe realtime'. But if ntpd runs in the "main" context, I think, it is not the same case. Maybe, you've to look around capabilities(7) to get appropriate CAP_* in the context? -- Peter V. Saveliev ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] unable to run ntp on vserver kernel / drop root privileges not allowed
>> I encountered a problem when I wnated to start a NTP on a vserver-base >> system >> >> i get >> cap_set_proc() failed to drop root privileges: Operation not permitted >> >> The system is Suse 9.2 with a vserver 2.6.9 kernel > > > does ntpd start on this kernel in xid=0, that is, _not_ in virtual > context? yes the ntp is running in the "main" context > I'm not sure, but If it doesn't, see "capabilities" module or like that -- > "realtime" etc, depends on the kernel configuration. hmm - so I think I have to mod the sources as I cant find appropriate kernel config params... Oliver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] unable to run ntp on vserver kernel / drop root privileges not allowed
В сообщении от Пятница 01 Апрель 2005 17:19 [EMAIL PROTECTED] написал(a): > Hi All, > > I encountered a problem when I wnated to start a NTP on a vserver-base system > > i get > cap_set_proc() failed to drop root privileges: Operation not permitted > > The system is Suse 9.2 with a vserver 2.6.9 kernel does ntpd start on this kernel in xid=0, that is, _not_ in virtual context? I'm not sure, but If it doesn't, see "capabilities" module or like that -- "realtime" etc, depends on the kernel configuration. -- Peter V. Saveliev ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] unable to run ntp on vserver kernel / drop root privileges not allowed
Hi All, I encountered a problem when I wnated to start a NTP on a vserver-base system i get cap_set_proc() failed to drop root privileges: Operation not permitted The system is Suse 9.2 with a vserver 2.6.9 kernel Any hints Oliver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver