Re: [Vserver] grsecurity ending
> It appears the grsecurity project, is ending. So... noone wants to maintain vserver+grsec... and now noone wants to maintain grsec itself? Nice. -- Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 We're giving you a new chance in life, and an opportunity to screw it up in a new, original way. ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] grsecurity ending
Dariush Pietrzak said: > So... noone wants to maintain vserver+grsec... and now noone wants to > maintain grsec itself? Well he's borrowing money to buy food. So he can't support himself and spend all his time doing grsecurity. One of his sponsors failed to pay him, so he's stuck. The current vserver+grsecurity is working perfectly well for me on my systems. I've been using Sandino Araico Sanchez's vserver+grsec patch and they've been stable as a rock. >From: Sandino Araico Sánchez <[EMAIL PROTECTED]> >I've just uploaded the patch Vserver 1.27 + GR Security 1.9.14 against >2.4.25 to >http://www.sandino.net/parches/vserver/linux-2.4.25-grsec-1.9.14-vserver-1.>27.patch.gz -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] grsecurity ending
On Tue, Jun 01, 2004 at 03:11:15PM -0600, Lucas Albers wrote: > Dariush Pietrzak said: > > So... noone wants to maintain vserver+grsec... and now noone wants to > > maintain grsec itself? > > Well he's borrowing money to buy food. > So he can't support himself and spend all his time doing grsecurity. > One of his sponsors failed to pay him, so he's stuck. On Tue, Jun 01, 2004 at 02:01:30PM -0600, Lucas Albers wrote: > He currently has 10 sponsors and is looking to make enough > to pay for his expenses. well, how should I put this ... currently I have _no_ sponsor sending money, and, although I would _love_ to spend all my time doing linux-vserver, I have to _work_ to earn the money to buy food and pay for shelter, connectivity and clothing ... > The current vserver+grsecurity is working perfectly well for me on my > systems. I've been using Sandino Araico Sanchez's vserver+grsec > patch and they've been stable as a rock. as far as I know, a 'working' vserver/grsec combo was done several times, but not seriously tested, and as far as I heard, there where some issues ... nevertheless, if grsec is going to perish, for whatever reason, it might be interesting to absorb those parts useful for linux-vserver into a security branch of linux-vserver ... (would be 2.6 branch of course) best, Herbert > >From:Sandino Araico Sánchez <[EMAIL PROTECTED]> > >I've just uploaded the patch Vserver 1.27 + GR Security 1.9.14 against > >2.4.25 to > >http://www.sandino.net/parches/vserver/linux-2.4.25-grsec-1.9.14-vserver-1.>27.patch.gz > > -- > Luke Computer Science System Administrator > Security Administrator,College of Engineering > Montana State University-Bozeman,Montana > > > > ___ > Vserver mailing list > [EMAIL PROTECTED] > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] grsecurity ending
> > So... noone wants to maintain vserver+grsec... and now noone wants to > > maintain grsec itself? > Well he's borrowing money to buy food. Normally you would work to get money for food > So he can't support himself and spend all his time doing grsecurity. One > of his sponsors failed to pay him, so he's stuck. Shame on his sponsors, but on another hand - shame on grsec community, the way I see it, grsec should get split into few managable parts with few developers working on it. Single developer without stable income is asking for trouble... > The current vserver+grsecurity is working perfectly well for me on my > systems. I've been using Sandino Araico Sanchez's vserver+grsec patch and > they've been stable as a rock. That's good for you. And if you believe this is ideal recommendation then I've got this wonderfully cheap bridge for sale, it's a real bargain... To reiterate what I and few other people already said - it's not enough to just integrate two conflicting patches and call it a day - vserver+grsec is not trivial. Until someone comes up and commits to maintaining vrsec;) vserver+grsec does not exist. All that exist is a bunch of amateur merges of vserver&grsec ... I made those.. few other people made those... but AFAIK noone with intimate understanding of both projects. So there are two main challanges - 1) merging (with understanding and documenting what are you doing, for example, resolving chroot restrictions can be made in multitude of ways, grsec on top of vserver, vserver on top of grsec, grsec instead of vserver, vserver instead of grsec etc...etc... And this is probably the most trivial part) 2) commiting to maintaining this product... accepting bugreports, updating, communicating with both vserver and grsec teams ( for example, securing chroot properly for vserver+grsec should result in modifications that could go to both those projects ). The way it is now it looks like this: "Hi, i downloaded grsec+vserver and now I've got this problem... ... ... Oh wait, my kernel is oopsing like crazy". So, I think that the best way to resolve this whole mess goes like this: 1) grsec sponsors get their acts together (probably fear of bad publicity may help here...), 2) bunch of different developers gets interested in grsec, and one of those decides to take responsibility for maintaining this whole magical vrsec thingy. 3) in the process of accomodating new developers grsec splits into modules (like in the early days of security enhancing patches) with different devs taking care of different modules. -- Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 We're giving you a new chance in life, and an opportunity to screw it up in a new, original way. ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] grsecurity ending
On Tue, 1 Jun 2004, Herbert Poetzl wrote: > currently I have _no_ sponsor sending money, and, although I would > _love_ to spend all my time doing linux-vserver, I have to _work_ to > earn the money to buy food and pay for shelter, connectivity and > clothing ... Well - having been in this boat with mod_python for some years now, the least I can do is to say a very sincere thank you for all the hard work on vserver! Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] grsecurity ending
Herbert Poetzl wrote: The current vserver+grsecurity is working perfectly well for me on my systems. I've been using Sandino Araico Sanchez's vserver+grsec patch and they've been stable as a rock. as far as I know, a 'working' vserver/grsec combo was done several times, but not seriously tested, and as far as I heard, there where some issues ... There are some issues whth usage of ACLs and dropping CAP_SYSADMIN Unfortunately I haven't had as much spare time as I need to dig into that issues and it seems quite complex. nevertheless, if grsec is going to perish, for whatever reason, it might be interesting to absorb those parts useful for linux-vserver into a security branch of linux-vserver ... (would be 2.6 branch of course) best, Herbert From: Sandino Araico Sánchez <[EMAIL PROTECTED]> I've just uploaded the patch Vserver 1.27 + GR Security 1.9.14 against 2.4.25 to http://www.sandino.net/parches/vserver/linux-2.4.25-grsec-1.9.14-vserver-1.>27.patch.gz -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver -- Sandino Araico Sánchez -- ... there's no spoon ... ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] grsecurity ending
Dariush Pietrzak wrote: The current vserver+grsecurity is working perfectly well for me on my systems. I've been using Sandino Araico Sanchez's vserver+grsec patch and they've been stable as a rock. That's good for you. And if you believe this is ideal recommendation then I've got this wonderfully cheap bridge for sale, it's a real bargain... To reiterate what I and few other people already said - it's not enough to just integrate two conflicting patches and call it a day - vserver+grsec is not trivial. The only side-effect I have seen in merging both patches is the ACL dropping CAP_SYSADMIN problem. Other than that there's no overlap and features of both patches have worked as expected on production servers. Until someone comes up and commits to maintaining vrsec;) vserver+grsec does not exist. Of course it does not exist, they are two different patches from two different non-overlapping projects. It's just a cummulative patch set like any other. All that exist is a bunch of amateur merges of vserver&grsec ... I made those.. few other people made those... but AFAIK noone with intimate understanding of both projects. That's right, it takes me about 1 hour to merge the rejects of both patches in the right places; there's no big science on it. I just upload the combined patch in the case it may be useful for someone else. So there are two main challanges - 1) merging (with understanding and documenting what are you doing, for example, resolving chroot restrictions can be made in multitude of ways, There are no chroot restrictions other than chroot inside chroot but It's solved in GR Security 2. There's just the need of somebody taking 1 hour of his time for doing the merge of vserver and grsec 2 patches. grsec on top of vserver, vserver on top of grsec, grsec instead of vserver, vserver instead of grsec etc...etc... And this is probably the most trivial part) This one on top of the other is a non-existent issue since both patches don't overlap. 2) commiting to maintaining this product... accepting bugreports, updating, communicating with both vserver and grsec teams ( for example, securing chroot properly for vserver+grsec should result in modifications that could go to both those projects ). I wish I had enough time for all that work but I don't. Perhaps somebody else. The way it is now it looks like this: "Hi, i downloaded grsec+vserver and now I've got this problem... I've just added the ACL issue to the Wiki page. Hope that's enough for some time. ... ... Oh wait, my kernel is oopsing like crazy". So, I think that the best way to resolve this whole mess goes like this: 1) grsec sponsors get their acts together (probably fear of bad publicity may help here...), 2) bunch of different developers gets interested in grsec, and one of those decides to take responsibility for maintaining this whole magical vrsec thingy. 3) in the process of accomodating new developers grsec splits into modules (like in the early days of security enhancing patches) with different devs taking care of different modules. -- Sandino Araico Sánchez -- ... there's no spoon ... ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver