On Fri, Feb 06, 2004 at 11:55:06PM -1000, Warren Togami wrote: > > > > Hello Folks! > > > > because the last security fix for the chmod()/chroot() > > issue was a little too fast, and a little too secure > > for some distros (debian was mentioned), this release > > restricts the security to the 'important' parts, the > > vserver directory. > > > > this is done in the following way: > > > > the chroot() 000 barrier is unaffected and unchanged, > > but in addition to that, a barrier with IUNLINK set > > can not be changed (chmod()), so the exploit isn't > > possible on such a secured system. > > > > What you have to do, after applying that patch? > > > > chmod 000 /vservers > > chattr +t -d /vservers > > > > all-in-one and broken out patches for 2.4.24 as well > > as incremental patches are available at > > > > http://www.13thfloor.at/vserver/s_release/ > > > > a temporary fix for the chmod()/chroot() exploit is > > to make the vserver directory immutable, but that > > will affect vserver creation and destruction in > > various ways, so an upgrade is advised. > > > > best, > > Herbert > > > > Hi Herbert, > > In the future could you please post GPG signed .asc signatures along with > each release as part of standard release practice? Perhaps a link to the > .asc file on your page too?
I'm working on that, and the first step has been done already, but it wasn't worth the efford for the last two releases, the incremental patches are quicker to verify than the pgp key. > It would really save me a lot of time because otherwise I need to manually > read diffs in order to guard against even the slightest possibility of > trojaned sources on a compromised site. I would always suggest to manually review any patches you add to your kernel, and report any findings, but I know that there _is_ demand for signatures, and I'll try to add that asap ... HTH, Herbert > Warren Togami > [EMAIL PROTECTED] > _______________________________________________ > Vserver mailing list > [EMAIL PROTECTED] > http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
