Hi NG, Hi Herbert,
Is there a tool (like testme.sh) that tests the common (maybe also uncommon) possibilities of misconfigurations (like the capabilities and chroot-exploids) from inside the VServer?
not yet, but sounds like something useful to me ...
ok, lets do some brainstorming (comment: i'm no vserver specialist nor can i write programs on linux):
Output could be like this: --- # vserver test enter [...] context id is now ... [...] # vcapcheck Checking environment ...
conextid is: 4711 [OK] effective userid is: 0 [OK] real userid is: 0 [OK] effective groupid is: 0 [OK] real groupid is: 0 [OK]
Checking posix capabilities ...
i have CAP_CHOWN [OK] i have CAP_KILL [OK] [...] i have CAP_LINUX_IMMUTABLE [WARN] if you have locked some files because of unification, you should assign the immutable-flag to an vps. to remove this capability edit ... i dont have CAP_NET_BROADCAST [OK] i have CAP_SYS_BOOT [ERROR] Warning: any vserver can reboot the read server i dont have CAP_MKNOD [OK]
Checking the Network Separation ...
determining if someone other listens on my ip [WARN] on port 22 (ssh) listens someone other, maybe the host is configured to listen on 0:0:0:0 trying to listen on localhost: no success [OK] [...]
Trying to break out the chroot-jail ...
... to access the hosts files: no success [OK] ... to access other vservers: success [ERROR] [...]
Trying to mount hda/sda/...: no success [OK]
Checking dev-directory: nothing suspicious found
[OK]
Checking proc-fs [WARN]
found kmem-entry [...]Checking for the usable RAM space [512MB] Checking for available disk space [10 G] if the vserver is on the same partition as the real server you should verify that the vserver can't grab all disk space available [...] ---
hm ... this list will get very long ... but i think its very useful when configuring a vserver ...
... Oliver
_______________________________________________ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
