yup, but better upgrade to 2.6.11.9-vs2.0-rc1 ;)
As I use this on *very* vital production machines - anyone here who can
tell me if its working ;)
Oliver
--
Diese Nachricht wurde digital unterschrieben
oliwel's public key: http://www.oliwel.de/oliwel.crt
Basiszertifikat: http://www.ldv.ei.tum.de/
On Fri, May 13, 2005 at 02:43:50PM +1200, Michal Ludvig wrote:
> Herbert Poetzl wrote:
> > On Thu, May 12, 2005 at 01:43:09PM +0200, Oliver Welter wrote:
> >
> >>serious problem:
> >>I read about the new BufferOverflow in the kernel's ELF Loader - it
> >>seems that an unprivileged attacker can st
On Fri, May 13, 2005 at 10:42:04AM +0800, Wai Phang wrote:
> Hi Herbert,
>
> My kernel had extended attributes for ext2 and ext3 compiled in.
> Anyway, is there any security concern if i can't get that working?
> Thank you.
well, yes, actually it means that the extened attributes
do not work on t
Herbert Poetzl wrote:
> and it is because /path/to/.. is not necessarily the
> same as /path
Just in case people are not sure why the above might be true:
If /path/dir is be a symlink to /bigstorage/path/dir, then /path/dir/..
is actually /bigstorage/path and not /path.
The shell should remem
Greetings Community!
today we released the first release candidate
for Linux-VServer for the stable 2.6 kernel
http://vserver.13thfloor.at/Experimental/patch-2.6.11.9-vs2.0-rc1.diff
http://vserver.13thfloor.at/Experimental/patch-2.6.11.9-vs2.0-rc1.diff.bz2
please test it and report back all iss
Herbert Poetzl wrote:
> On Thu, May 12, 2005 at 01:43:09PM +0200, Oliver Welter wrote:
>
>>serious problem:
>>I read about the new BufferOverflow in the kernel's ELF Loader - it
>>seems that an unprivileged attacker can start process in the kernels
>>context..
>
>
> details?
>
> - which iss
Hi Herbert,
My kernel had extended attributes for ext2 and ext3 compiled in.
Anyway, is there any security concern if i can't get that working?
Thank you.
Cheers!
Seph
On 5/13/05, Herbert Poetzl <[EMAIL PROTECTED]> wrote:
> On Thu, May 12, 2005 at 05:26:11PM -0700, Wai Phang wrote:
> > Hi Herber
On Thu, May 12, 2005 at 05:26:11PM -0700, Wai Phang wrote:
> Hi Herbert,
>
> chattr +i /var/lib/vservers gave me the same error as well.
well, then you should (and probably figured already)
compile in/enable extended attributes for that filesystem
of yours (to which /var/lib/vservers belongs)
be
Hi Herbert,
chattr +i /var/lib/vservers gave me the same error as well.
Cheers!
Seph
On 5/12/05, Herbert Poetzl <[EMAIL PROTECTED]> wrote:
> On Thu, May 12, 2005 at 02:12:34PM +0800, Wai Phang wrote:
> > Hi Herbert,
> >
> > Thank you for your clarifications.
> >
> > I have figured most of the
On Thu, May 12, 2005 at 11:16:49AM -0600, [EMAIL PROTECTED] wrote:
> Herbert,
> You are correct. Sorry for misquoting you.
> Now I'm back to my usual state: Dazed and confused
>
> Here are my vservers
> ls -l /vservers/
> total 20
> drwxr-xr-x 17 root root 4096 Apr 8 11:36 vcrux01
> drwxr-xr-x
> From: [EMAIL PROTECTED] [mailto:vserver-
> [EMAIL PROTECTED] On Behalf Of Oliver Welter
>
> Hello Herbert,
>
> >>serious problem:
> >>I read about the new BufferOverflow in the kernel's ELF Loader - it
> >>seems that an unprivileged attacker can start process in the kernels
> >>context..
> >
>
On Thu, 12 May 2005, Herbert Poetzl wrote:
okay, adding the 'counters' back should not be too hard,
so I take that as 'feature request' ...
... or a 'feature return' :-)
Thanks,
Grisha
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.li
Hello Herbert,
serious problem:
I read about the new BufferOverflow in the kernel's ELF Loader - it
seems that an unprivileged attacker can start process in the kernels
context..
details?
- which issue?
- what kernels are affected?
- how does the 'exploit' look like?
I reffered to the Announ
On Thu, 12 May 2005, Gaz Wilson wrote:
>
> Does anyone have an opinion as to whether disabling root's password
> within a vserver is worthwhile? Noone logs into a vserver as root
> via ssh, only from the master using vserver enter, so there's no point
> in having a root password, so it can be di
> within a vserver is worthwhile? Noone logs into a vserver as root
> via ssh, only from the master using vserver enter, so there's no point
It is considered as good practice to disable root login via ssh, ie:
DON'T set "PermitRootLogin yes", leave it disabled.
Logging as root via ssh is usually
Does anyone have an opinion as to whether disabling root's password
within a vserver is worthwhile? Noone logs into a vserver as root
via ssh, only from the master using vserver enter, so there's no point
in having a root password, so it can be disabled by adding *LCK* in the
passwd file on the v
Herbert,
You are correct. Sorry for misquoting you.
Now I'm back to my usual state: Dazed and confused
Here are my vservers
ls -l /vservers/
total 20
drwxr-xr-x 17 root root 4096 Apr 8 11:36 vcrux01
drwxr-xr-x 17 root root 4096 Apr 8 11:36 vcrux02
drwxr-xr-x 17 root root 4096 Apr 22 08:02 vc
On Thu, May 12, 2005 at 01:43:09PM +0200, Oliver Welter wrote:
> Hi Folks,
>
> serious problem:
> I read about the new BufferOverflow in the kernel's ELF Loader - it
> seems that an unprivileged attacker can start process in the kernels
> context..
details?
- which issue?
- what kernels are
On Thu, May 12, 2005 at 11:03:29AM -0400, Gregory (Grisha) Trubetskoy wrote:
>
> On Thu, 12 May 2005, Herbert Poetzl wrote:
>
> >>Has something changed in the way vs1.9.5 accounts for CPU? We've upgraded
> >>from 2.6.10-vs1.9.4 to 2.6.11.7-vs1.9.5 and in /proc/virtual//sched I
> >>see:
> >
> >hmm
On Thu, May 12, 2005 at 02:12:34PM +0800, Wai Phang wrote:
> Hi Herbert,
>
> Thank you for your clarifications.
>
> I have figured most of the stuff except this
>
> chattr: Function not implemented while setting flags on /var/lib/vservers
okay, after second thought, what about enabling
extended
On Thu, May 12, 2005 at 08:28:36AM -0600, [EMAIL PROTECTED] wrote:
> I was originally doing it that way but Herbert recommended this way.
> I have not experienced any issues so far.
what I recommended was to use:
setattr --barrier /vservers/vcrux02/..
instead of
setattr --barr
On Thu, May 12, 2005 at 03:27:21PM +0100, Gaz Wilson wrote:
> On Thu, 12 May 2005 [EMAIL PROTECTED] wrote:
>
> >
> > * Set up vserver barrier
> >
> > sudo showattr -d /vservers/vcrux02
> > ---bui- /vservers/vcrux02
> > sudo setattr --barrier /vservers/vcrux02
> > sudo showattr -d /vservers/vcr
On Thu, 12 May 2005, Herbert Poetzl wrote:
Has something changed in the way vs1.9.5 accounts for CPU? We've upgraded
from 2.6.10-vs1.9.4 to 2.6.11.7-vs1.9.5 and in /proc/virtual//sched I
see:
hmm, had a look at vs2.0-pre4 and indeed the cpu
counters are 'just' dummies for now ...
but I also checked
Not sure I can help you with understanding it. If you look at these and it
makes sense you can teach me :)
http://linux-vserver.org/Proc-Security
http://deb.riseup.net/web-server/vserver/
:setattr --help
Usage: setattr [-Rx]
[--[~](iunlink|admin|watch|hide|barrier|iunlink-but-not-immutable)]
I was originally doing it that way but Herbert recommended this way. I have
not experienced any issues so far.
sig
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Björn
Steinbrink
Sent: Thursday, May 12, 2005 8:21 AM
To: vserver@list.linux-vserver.org
Su
On Thu, 12 May 2005 [EMAIL PROTECTED] wrote:
>
> * Set up vserver barrier
>
> sudo showattr -d /vservers/vcrux02
> ---bui- /vservers/vcrux02
> sudo setattr --barrier /vservers/vcrux02
> sudo showattr -d /vservers/vcrux02
> ---Bui- /vservers/vcrux02
Excuse my ignorance, but what does setattr
Hello,
On 2005.05.12 07:48:27 -0600, [EMAIL PROTECTED] wrote:
> * Set up vserver barrier
>
> sudo showattr -d /vservers/vcrux02
> ---bui- /vservers/vcrux02
> sudo setattr --barrier /vservers/vcrux02
> sudo showattr -d /vservers/vcrux02
> ---Bui- /vservers/vcrux02
the barrier flag is supposed
I'm using Crux Linux (http://crux.nu/). This process works for me. I'm sure
there are other ways.
* Duplicate existing vserver on same host
sudo vserver vcrux01 stop
sudo vserver vcrux02 build -m skeleton -n vcrux02 --context 200 --hostname
vcrux02.domain.net --interface 172.27.12.40 --
Le Jeudi 12 Mai 2005 06:42, Herbert Poetzl a écrit :
> what do you want to troubleshoot? what do you
> expect there?
Something like this ?
# cat /proc/virtual/49157/sched
Token: 0
FillRate: 1
Interval: 4
TokensMin:62
TokensMax: 500
P
Hi Folks,
serious problem:
I read about the new BufferOverflow in the kernel's ELF Loader - it
seems that an unprivileged attacker can start process in the kernels
context..
Is it possible to gain root inside a vServer ?
Is it possible to break out of a vServer with this Bug ?
Oliver
--
Diese Na
30 matches
Mail list logo
