Hi All, RedHat (at least 9, not sure about earlier) is affected by vs1.25 also - although most things work normally, useradd creates a directory with 000 permissions that root is not able to chmod. Can anyone running RH confirm that vs1.26 doesn't have the issue before I build the kernel?
Thanks! Cathy p.s Herbert - thank you for the VERY fast response to the vulnerability. :) On Fri, 6 Feb 2004, Herbert Poetzl wrote: > On Fri, Feb 06, 2004 at 10:33:14PM +0100, Herbert Poetzl wrote: > > > > Hello Folks! > > > > because the last security fix for the chmod()/chroot() > > issue was a little too fast, and a little too secure > > for some distros (debian was mentioned), this release > > restricts the security to the 'important' parts, the > > vserver directory. > > > > this is done in the following way: > > > > the chroot() 000 barrier is unaffected and unchanged, > > but in addition to that, a barrier with IUNLINK set > > can not be changed (chmod()), so the exploit isn't > > possible on such a secured system. > > > > What you have to do, after applying that patch? > > > > chmod 000 /vservers > > chattr +t -d /vservers > > as enrico pointed out, this is crap ;) > > chattr +t /vservers > > is what I meant, sorry for the confusion > > best, > Herbert > > > all-in-one and broken out patches for 2.4.24 as well > > as incremental patches are available at > > > > http://www.13thfloor.at/vserver/s_release/ > > > > a temporary fix for the chmod()/chroot() exploit is > > to make the vserver directory immutable, but that > > will affect vserver creation and destruction in > > various ways, so an upgrade is advised. > > > > best, > > Herbert > > > > _______________________________________________ > > Vserver mailing list > > [EMAIL PROTECTED] > > http://list.linux-vserver.org/mailman/listinfo/vserver > _______________________________________________ > Vserver mailing list > [EMAIL PROTECTED] > http://list.linux-vserver.org/mailman/listinfo/vserver > _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
