[Vserver] unable to run ntp on vserver kernel / drop root privileges not allowed
Hi All, I encountered a problem when I wnated to start a NTP on a vserver-base system i get cap_set_proc() failed to drop root privileges: Operation not permitted The system is Suse 9.2 with a vserver 2.6.9 kernel Any hints Oliver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] unable to run ntp on vserver kernel / drop root privileges not allowed
01 2005 17:19 [EMAIL PROTECTED] (a): Hi All, I encountered a problem when I wnated to start a NTP on a vserver-base system i get cap_set_proc() failed to drop root privileges: Operation not permitted The system is Suse 9.2 with a vserver 2.6.9 kernel does ntpd start on this kernel in xid=0, that is, _not_ in virtual context? I'm not sure, but If it doesn't, see capabilities module or like that -- realtime etc, depends on the kernel configuration. -- Peter V. Saveliev ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] unable to run ntp on vserver kernel / drop root privileges not allowed
I encountered a problem when I wnated to start a NTP on a vserver-base system i get cap_set_proc() failed to drop root privileges: Operation not permitted The system is Suse 9.2 with a vserver 2.6.9 kernel does ntpd start on this kernel in xid=0, that is, _not_ in virtual context? yes the ntp is running in the main context I'm not sure, but If it doesn't, see capabilities module or like that -- realtime etc, depends on the kernel configuration. hmm - so I think I have to mod the sources as I cant find appropriate kernel config params... Oliver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] unable to run ntp on vserver kernel / drop root privileges not allowed
skip / does ntpd start on this kernel in xid=0, that is, _not_ in virtual context? yes the ntp is running in the main context I'm not sure, but If it doesn't, see capabilities module or like that -- realtime etc, depends on the kernel configuration. hmm - so I think I have to mod the sources as I cant find appropriate kernel config params... skip / So, that's not, what I think... I encountered the same problem, but on the normal kernels 2.6.8/9/10. The solve was to 'modprobe capabilities' or 'modprobe realtime'. But if ntpd runs in the main context, I think, it is not the same case. Maybe, you've to look around capabilities(7) to get appropriate CAP_* in the context? -- Peter V. Saveliev ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] unable to run ntp on vserver kernel / drop root privileges not allowed
On Fri, Apr 01, 2005 at 07:06:19PM +0400, Peter V. Saveliev wrote: skip / does ntpd start on this kernel in xid=0, that is, _not_ in virtual context? yes the ntp is running in the main context I'm not sure, but If it doesn't, see capabilities module or like that -- realtime etc, depends on the kernel configuration. hmm - so I think I have to mod the sources as I cant find appropriate kernel config params... check for security modules and capabilities in particular skip / So, that's not, what I think... I encountered the same problem, but on the normal kernels 2.6.8/9/10. The solve was to 'modprobe capabilities' or 'modprobe realtime'. But if ntpd runs in the main context, I think, it is not this diagnosis sounds very accurate to me ... I would double check if capabilities are loaded/compiled in maybe you are in deep trouble and do not even know it ;) best, Herbert the same case. Maybe, you've to look around capabilities(7) to get appropriate CAP_* in the context? -- Peter V. Saveliev ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] unable to run ntp on vserver kernel / drop root privileges not allowed
Hi Herbert, hmm - so I think I have to mod the sources as I cant find appropriate kernel config params... check for security modules and capabilities in particular Can you tell me what I must look for ? If you mean kernel modules - i have a monolithic one - so no modules are loaded at all So, that's not, what I think... I encountered the same problem, but on the normal kernels 2.6.8/9/10. The solve was to 'modprobe capabilities' or 'modprobe realtime'. But if ntpd runs in the main context, I think, it is not this diagnosis sounds very accurate to me ... I would double check if capabilities are loaded/compiled in maybe you are in deep trouble and do not even know it ;) as we use vserver only for process separeratin due to better maintenance it will not affect operational security - but good hint anyway Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] unable to run ntp on vserver kernel / drop root privileges not allowed
On Fri, Apr 01, 2005 at 07:31:07PM +0200, Oliver Welter wrote: Hi Herbert, hmm - so I think I have to mod the sources as I cant find appropriate kernel config params... check for security modules and capabilities in particular Can you tell me what I must look for ? If you mean kernel modules - i have a monolithic one - so no modules are loaded at all CONFIG_SECURITY=y CONFIG_SECURITY_CAPABILITIES=y or CONFIG_SECURITY=n both will use the capabilities compiled in ... So, that's not, what I think... I encountered the same problem, but on the normal kernels 2.6.8/9/10. The solve was to 'modprobe capabilities' or 'modprobe realtime'. But if ntpd runs in the main context, I think, it is not this diagnosis sounds very accurate to me ... I would double check if capabilities are loaded/compiled in maybe you are in deep trouble and do not even know it ;) as we use vserver only for process separeratin due to better maintenance it will not affect operational security - but good hint anyway it will, it will. trust me ... most checks in linux-vserver kernel code are based on linux capabilities, so they are a requirement, not some kind of addon/feature ... best, Herbert Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver