[Vserver] proc too secure?
Hi - sorry for asking again - Normally I like to research such things properly, but time is not on my side for this project, so I come in hope of a quick solution. I need to install binfmt support within a vserver, however proc is secured in such a way as it cannot install properly: Setting up binfmt-support (1.2.3) ... mount: permission denied update-binfmts: warning: Couldn't mount the binfmt_misc filesystem on /proc/sys/fs/binfmt_misc. Enabling additional executable binary formats: mount: permission denied update-binfmts: warning: Couldn't mount the binfmt_misc filesystem on /proc/sys/fs/binfmt_misc. binfmt-support. Is there a (good) way to allow this to happen without removing proc security entirely? I didn't see anything in the docs I have skimmed through... thanks and apologies for asking without doing much research first. -- / Gary Wilson, aka dragon/dragonlord/dragonv480\ .'(_.--. e: [EMAIL PROTECTED] MSN: dragonv480 .--._)`. _ | Skype:dragonv480 ICQ:342070475 AIM:dragonv480 | _ `.( `--' w: http://volvo480.northernscum.org.uk `--' ).' \w: http://www.northernscum.org.uk / ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] proc too secure?
Hi again! I discovered earlier that yes indeed, if you configure the host up with the relevant binfmt stuff, the vservers adopt those settings, so all is well and good. I am having trouble with grsec though - I have set it for medium security, and yet the vserver refuses to start complaining that the capabilities don't exist - yet I checked the kernel and the default capabilities are set (monolithically, not as a module) - just checking all kernel options and recompilng, in case there's some difference between my working kernel with grsec disabled and this one... In the meantime, if anyone has used grsec along with vservers, I'd be interested to hear any stories about making it work!!! Thanks all! Gary Wilson On Wed, 4 May 2005, Herbert Poetzl wrote: On Wed, May 04, 2005 at 10:01:49AM +0100, Gaz Wilson wrote: Hi - sorry for asking again - Normally I like to research such things properly, but time is not on my side for this project, so I come in hope of a quick solution. I need to install binfmt support within a vserver, however proc is secured in such a way as it cannot install properly: Setting up binfmt-support (1.2.3) ... mount: permission denied update-binfmts: warning: Couldn't mount the binfmt_misc filesystem on /proc/sys/fs/binfmt_misc. Enabling additional executable binary formats: mount: permission denied update-binfmts: warning: Couldn't mount the binfmt_misc filesystem on /proc/sys/fs/binfmt_misc. binfmt-support. binfmt or more precisely misc binary format support is not available inside vserver, because it need userspace helpers which have to 'run' in the proper context, and that has just not be done yet ... you can use it on the host though ... and it might reach/map into vservers (not tested) best, Herbert Is there a (good) way to allow this to happen without removing proc security entirely? I didn't see anything in the docs I have skimmed through... thanks and apologies for asking without doing much research first. -- / Gary Wilson, aka dragon/dragonlord/dragonv480\ .'(_.--. e: [EMAIL PROTECTED] MSN: dragonv480 .--._)`. _ | Skype:dragonv480 ICQ:342070475 AIM:dragonv480 | _ `.( `--' w: http://volvo480.northernscum.org.uk `--' ).' \w: http://www.northernscum.org.uk / ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- / Gary Wilson, aka dragon/dragonlord/dragonv480\ .'(_.--. e: [EMAIL PROTECTED] MSN: dragonv480 .--._)`. _ | Skype:dragonv480 ICQ:342070475 AIM:dragonv480 | _ `.( `--' w: http://volvo480.northernscum.org.uk `--' ).' \w: http://www.northernscum.org.uk / ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] proc too secure?
Self-followup - sorry! I have sorted grsec with vservers and so far everything is working nicely now :) Fingers x'd :) Thatnks for everyone's help to date. gary On Wed, 4 May 2005, Gaz Wilson wrote: Hi again! I discovered earlier that yes indeed, if you configure the host up with the relevant binfmt stuff, the vservers adopt those settings, so all is well and good. I am having trouble with grsec though - I have set it for medium security, and yet the vserver refuses to start complaining that the capabilities don't exist - yet I checked the kernel and the default capabilities are set (monolithically, not as a module) - just checking all kernel options and recompilng, in case there's some difference between my working kernel with grsec disabled and this one... In the meantime, if anyone has used grsec along with vservers, I'd be interested to hear any stories about making it work!!! Thanks all! Gary Wilson On Wed, 4 May 2005, Herbert Poetzl wrote: On Wed, May 04, 2005 at 10:01:49AM +0100, Gaz Wilson wrote: Hi - sorry for asking again - Normally I like to research such things properly, but time is not on my side for this project, so I come in hope of a quick solution. I need to install binfmt support within a vserver, however proc is secured in such a way as it cannot install properly: Setting up binfmt-support (1.2.3) ... mount: permission denied update-binfmts: warning: Couldn't mount the binfmt_misc filesystem on /proc/sys/fs/binfmt_misc. Enabling additional executable binary formats: mount: permission denied update-binfmts: warning: Couldn't mount the binfmt_misc filesystem on /proc/sys/fs/binfmt_misc. binfmt-support. binfmt or more precisely misc binary format support is not available inside vserver, because it need userspace helpers which have to 'run' in the proper context, and that has just not be done yet ... you can use it on the host though ... and it might reach/map into vservers (not tested) best, Herbert Is there a (good) way to allow this to happen without removing proc security entirely? I didn't see anything in the docs I have skimmed through... thanks and apologies for asking without doing much research first. -- / Gary Wilson, aka dragon/dragonlord/dragonv480\ .'(_.--. e: [EMAIL PROTECTED] MSN: dragonv480 .--._)`. _ | Skype:dragonv480 ICQ:342070475 AIM:dragonv480 | _ `.( `--' w: http://volvo480.northernscum.org.uk `--' ).' \w: http://www.northernscum.org.uk / ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- / Gary Wilson, aka dragon/dragonlord/dragonv480\ .'(_.--. e: [EMAIL PROTECTED] MSN: dragonv480 .--._)`. _ | Skype:dragonv480 ICQ:342070475 AIM:dragonv480 | _ `.( `--' w: http://volvo480.northernscum.org.uk `--' ).' \w: http://www.northernscum.org.uk / ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
