On Fri, 13 May 2005, Ola Lundqvist wrote: > Hello > > What version do you file this against?
This is against the version in testing: 0.30.204-5 > > The current documentation in unstable tell you exactly this. It do > not tell that setattr --barrier is a 2.6 thing though. The current documentation says: chmod 000 $VROOTDIR chattr +t $VROOTDIR setattr --barrier $VROOTDIR # if available and then two paragraphs, and then it is repeated: For all vservers: chmod 000 /path/to/vserver/.. chattr +t /path/to/vserver/.. setattr --barrier /path/to/vserver/.. This means a couple things: 1. it should not be repeated :) 2. it should only list the setattr --barrier command to eliminate confusion 3. I think it should read: ATTENTION --------- For security purposes, you should set the following on your vserver root directory: setattr --barrier /var/lib/vservers If for some reason you move this directory, you should run: setattr --barrier /<vrootdir>/<vserver>/.. on each vserver created, unless *all* your vservers are really directly below the directory /<vrootdir> and this is not a symlink, in which case the single setattr --barrier /<vrootdir> is appropriate. 4. I *strongly* believe that this documentation change should be put into Sarge, its a security risk to not have the proper documentation here, and this simple change will be accepted by the release managers (as it is a security problem, and it is only a documentation fix). micah > On Thu, May 12, 2005 at 10:29:39PM -0500, Micah Anderson wrote: > > Package: util-vserver > > Severity: importat > > > > The README.Debian included in util-vserver states: > > > > chmod 000 $VROOTDIR > > chattr +t $VROOTDIR > > > > This is *not* the right thing to do anymore. According to Bertl and > > Doener on the irc channel, the proper thing is to do: > > > > setattr --barrier $VROOTDIR > > > > in 2.4 version of the utilities the chmod/chattr stuff is right, but > > in 2.6 it is not. The setattr --barrier is smart and knows which one > > to do depending on your setup. > > > > Additionally, this should be done as: > > > > setattr --barrier /vservers/<vserver>/.. on each vserver created, > > unless *all* your vservers are really directly below /vservers (which > > is a *directory*, not a symlink), then it is fine to just do it on > > /vservers. > > > > This is an important documentation issue that I think should be > > addressed for sarge, and the release managers have said that they will > > allow documentation changes to enter into sarge (I've managed to get > > this done myself). So I would highly recommend making this simple > > change and uploading it and making a request to [EMAIL PROTECTED] > > to allow it in. > > I can probably get this in, yes. > > Regards, > > // Ola > > > > > -- System Information: > > Debian Release: 3.1 > > APT prefers unstable > > APT policy: (300, 'unstable') > > Architecture: i386 (i686) > > Kernel: Linux 2.6.8-2-k7 > > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > > > > > > -- > --------------------- Ola Lundqvist --------------------------- > / [EMAIL PROTECTED] Annebergsslingan 37 \ > | [EMAIL PROTECTED] 654 65 KARLSTAD | > | +46 (0)54-10 14 30 +46 (0)70-332 1551 | > | http://www.opal.dhs.org UIN/icq: 4912500 | > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > --------------------------------------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
