On Sat, Feb 07, 2004 at 03:31:47AM +0100, Jan Panoch wrote: > Hi All, > > Have anyone a idea, how to avoid this security risk and continue to use > XFS as my filesystem? > 1.26 patch is functional only on ext2/ext3 filesystems, i think..
hmm, xfs is in 2.4.25-rc1 and so I'm working on support for that, if you are interested in testing this stuff, let me know/show up on the irc channel (#vserver irc.oftc.net) I'll be there until 5:30am CET and will return after 18:00 CET HTH, Herbert > Tnx > > JP > > Cathy Sarisky wrote: > > >Hi All, > > > >RedHat (at least 9, not sure about earlier) is affected by vs1.25 also - > >although most things work normally, useradd creates a directory with 000 > >permissions that root is not able to chmod. Can anyone running RH confirm > >that vs1.26 doesn't have the issue before I build the kernel? > > > >Thanks! > >Cathy > > > >p.s Herbert - thank you for the VERY fast response to the vulnerability. > >:) > > > >On Fri, 6 Feb 2004, Herbert Poetzl wrote: > > > > > > > >>On Fri, Feb 06, 2004 at 10:33:14PM +0100, Herbert Poetzl wrote: > >> > >> > >>>Hello Folks! > >>> > >>>because the last security fix for the chmod()/chroot() > >>>issue was a little too fast, and a little too secure > >>>for some distros (debian was mentioned), this release > >>>restricts the security to the 'important' parts, the > >>>vserver directory. > >>> > >>>this is done in the following way: > >>> > >>>the chroot() 000 barrier is unaffected and unchanged, > >>>but in addition to that, a barrier with IUNLINK set > >>>can not be changed (chmod()), so the exploit isn't > >>>possible on such a secured system. > >>> > >>>What you have to do, after applying that patch? > >>> > >>>chmod 000 /vservers > >>>chattr +t -d /vservers > >>> > >>> > >>as enrico pointed out, this is crap ;) > >> > >> chattr +t /vservers > >> > >>is what I meant, sorry for the confusion > >> > >>best, > >>Herbert > >> > >> > >> > >>>all-in-one and broken out patches for 2.4.24 as well > >>>as incremental patches are available at > >>> > >>>http://www.13thfloor.at/vserver/s_release/ > >>> > >>>a temporary fix for the chmod()/chroot() exploit is > >>>to make the vserver directory immutable, but that > >>>will affect vserver creation and destruction in > >>>various ways, so an upgrade is advised. > >>> > >>>best, > >>>Herbert > >>> > >>>_______________________________________________ > >>>Vserver mailing list > >>>[EMAIL PROTECTED] > >>>http://list.linux-vserver.org/mailman/listinfo/vserver > >>> > >>> > >>_______________________________________________ > >>Vserver mailing list > >>[EMAIL PROTECTED] > >>http://list.linux-vserver.org/mailman/listinfo/vserver > >> > >> > >> > > > >_______________________________________________ > >Vserver mailing list > >[EMAIL PROTECTED] > >http://list.linux-vserver.org/mailman/listinfo/vserver > > > > > > -- > Jan Panoch - CTO > > ================================================== > GLOBE INTERNET, s.r.o. http://globe.cz > SERVERY.CZ server a web housing > DOMENY.CZ nejvetsi registrator CZ domen > GLOBEDESIGN.CZ online marketing a vyvoj aplikaci > ================================================== > adresa: Planickova 1, 162 00 Praha 6 > mapa: http://mapa.globe.cz > mail: [EMAIL PROTECTED] > GSM: +420 605 204 511 > Tel: +420 235 365 000 Ext.:123 > Fax: +420 235 365 009 > > > _______________________________________________ > Vserver mailing list > [EMAIL PROTECTED] > http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
