Have anyone a idea, how to avoid this security risk and continue to use XFS as my filesystem?
1.26 patch is functional only on ext2/ext3 filesystems, i think..
Tnx
JP
Cathy Sarisky wrote:
Hi All,
RedHat (at least 9, not sure about earlier) is affected by vs1.25 also - although most things work normally, useradd creates a directory with 000 permissions that root is not able to chmod. Can anyone running RH confirm that vs1.26 doesn't have the issue before I build the kernel?
Thanks! Cathy
p.s Herbert - thank you for the VERY fast response to the vulnerability. :)
On Fri, 6 Feb 2004, Herbert Poetzl wrote:
On Fri, Feb 06, 2004 at 10:33:14PM +0100, Herbert Poetzl wrote:
Hello Folks!as enrico pointed out, this is crap ;)
because the last security fix for the chmod()/chroot() issue was a little too fast, and a little too secure for some distros (debian was mentioned), this release restricts the security to the 'important' parts, the vserver directory.
this is done in the following way:
the chroot() 000 barrier is unaffected and unchanged, but in addition to that, a barrier with IUNLINK set can not be changed (chmod()), so the exploit isn't possible on such a secured system.
What you have to do, after applying that patch?
chmod 000 /vservers
chattr +t -d /vservers
chattr +t /vservers
is what I meant, sorry for the confusion
best, Herbert
all-in-one and broken out patches for 2.4.24 as well as incremental patches are available at
http://www.13thfloor.at/vserver/s_release/
a temporary fix for the chmod()/chroot() exploit is
to make the vserver directory immutable, but that
will affect vserver creation and destruction in various ways, so an upgrade is advised.
best, Herbert
_______________________________________________
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
-- Jan Panoch - CTO
================================================== GLOBE INTERNET, s.r.o. http://globe.cz SERVERY.CZ server a web housing DOMENY.CZ nejvetsi registrator CZ domen GLOBEDESIGN.CZ online marketing a vyvoj aplikaci ================================================== adresa: Planickova 1, 162 00 Praha 6 mapa: http://mapa.globe.cz mail: [EMAIL PROTECTED] GSM: +420 605 204 511 Tel: +420 235 365 000 Ext.:123 Fax: +420 235 365 009
_______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
