Re: [Vserver] /proc must be mounted error
On Fri, 2004-03-19 at 23:55, Christian Jung wrote: > I did not find anything usefull in the groups. There was something > mentioned > that the proc filesystem is hidden for security reasons and that this > can be > changed with a tool. I did not really understand this, sorry. > As the procfs exposes some things that shouldn't be seen inside a vserver, proc entries can be hidden, for stable they're visible by default, for devel/exper. they're only visible in ctx 0 by default. A paper on vproc security can be found here: http://www.linux-vserver.org/index.php?page=Proc-Security For the experimental patches you should use the util-vserver alpha tools that come with a tool called setattr, i guess the vproc tool would work as well but the changed flag logic would make the cli appear confusing. There are no documented known-to-be-safe proc-visibility settings but IIRC Bertl has posted some hints about good starting points on the list > I know that this version is experimental and so is subject to fail. You may want to use vs0.09.22, is quite stable for me and has some nifty features ;) Bjoern ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] /proc must be mounted error
[EMAIL PROTECTED] ("Christian Jung") writes:
> Error: /proc must be mounted
> ...
> The System is a debian. Kernel 2.6.3 + vserver patch-2.6.3-vs0.09.diff
Since you are using the experimental kernel patch, you can try the alpha
branch of util-vserver:
http://www.linux-vserver.org/index.php?page=alpha+util-vserver
There you have a 'vprocunhide' (init)script which unhides some files;
the current list is available at
http://savannah.nongnu.org/cgi-bin/viewcvs/util-vserver/util-vserver/distrib/misc/vprocunhide-files?rev=HEAD
Enrico
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] /proc must be mounted error
On Sat, 20 Mar 2004, Enrico Scholz wrote: > There you have a 'vprocunhide' (init)script which unhides some files; > the current list is available at > > http://savannah.nongnu.org/cgi-bin/viewcvs/util-vserver/util-vserver/distrib/misc/vprocunhide-files?rev=HEAD Would you consider this a pretty safe list of things to be visible in a vserver? Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] /proc must be mounted error
On Sat, Mar 20, 2004 at 01:15:56PM -0500, Gregory (Grisha) Trubetskoy wrote: > > > On Sat, 20 Mar 2004, Enrico Scholz wrote: > > > There you have a 'vprocunhide' (init)script which unhides some files; > > the current list is available at > > > > http://savannah.nongnu.org/cgi-bin/viewcvs/util-vserver/util-vserver/distrib/misc/vprocunhide-files?rev=HEAD > > Would you consider this a pretty safe list of things to be visible in > a vserver? did a quick, first impression classification on those entries, so it is a start, but nothing final, and YMMV /proc/net/ (C) -/proc/net/rpc/ (D) /proc/sys/ (C) -/proc/sys/debug/ (D) -/proc/sys/dev/ (D) /proc/sysvipc/ (C) /proc/tty/ (C) /proc/cmdline (B) /proc/cpuinfo (A) /proc/crypto(A) /proc/devices (B) /proc/execdomains (B) /proc/filesystems (B) /proc/interrupts(B) /proc/iomem (B) /proc/ioports (B) /proc/kcore (D) /proc/kmsg (C) /proc/ksyms (C) /proc/loadavg (A) /proc/locks (B) /proc/meminfo (A) /proc/misc (B) /proc/modules (B) /proc/pci (C) /proc/slabinfo (A) /proc/stat (A) /proc/swaps (B) /proc/uptime(A) /proc/version (B) (A) ... useful on vservers (maybe even required) (B) ... not required, leaks host info (C) ... critical, might pose a security risk (D) ... dangerous, might be used for DoS HTH, Herbert > Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] /proc must be mounted error
[EMAIL PROTECTED] ("Gregory (Grisha) Trubetskoy") writes:
>> http://savannah.nongnu.org/cgi-bin/viewcvs/util-vserver/util-vserver/distrib/misc/vprocunhide-files?rev=HEAD
>
> Would you consider this a pretty safe list of things to be visible in
> a vserver?
It is probably too restrictive and removes too much entries. I am
currently aware of only two /proc entries which are not covered by
linux capabilities: sysrq-triggers and scsi. Else, I do not see a
reason to hide other entries since this can destroy functionality for
highly privileged vservers (e.g. VPN/firewall-setup vservers).
List above is something like a proof-of-concept data for the vprocunhide
script and can be overridden locally.
Enrico
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] /proc must be mounted error
[EMAIL PROTECTED] (Herbert Poetzl) writes: > did a quick, first impression classification on those > entries, so it is a start, but nothing final, and YMMV > > /proc/net/(C) required at least for firewall- or VPN-setup vservers > -/proc/net/rpc/ (D) proof-of-concept code ;) there is probably no need to remove this entry, but this directory seems to be good for testing the '-' prefix without destroying too much functionality... > -/proc/sys/debug/ (D) > -/proc/sys/dev/ (D) ditti > /proc/kcore (D) > /proc/kmsg(C) > /proc/ksyms (C) protected by CAP_SYS_ADMIN > (B) ... not required, leaks host info I do not think that this is a real problem; most parameters can be determined in other ways also. So hiding the /proc entries would not increase security. > (C) ... critical, might pose a security risk > (D) ... dangerous, might be used for DoS Capability system should and must give enough protection; there are a few entries (sysrq-triggers and scsi) which need the extra vproc wrapper. But this schould be the exception not the rule... Enrico ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
