On Mon, Feb 09, 2004 at 11:31:58PM +0100, Michael Hilscher wrote: > Am 09.02.2004 um 13:29 schrieb Herbert Poetzl: > >chmod 000 /vservers > >chattr +t /vservers > > > >/ # ls -ld /vservers > >d--------- 10 root root 1024 Dec 6 00:15 /vservers > >/ # lsattr -d /vservers > >-----------t- /vservers > > > >SECURE > > you are right, after > chmod 000 /vservers > chmod +t /vservers > > exploid dont work anymore. But on the other hand, i cant create a new > vserver anymore: > vserver beta build > cp: cannot create hard link `/vservers/beta/./sbin/e2fsck' to > `/vservers/beta/./sbin/fsck.ext3': Operation not permitted > ... and so on :(
atm, I do not see how this might be related, because creation of hardlinks and such stuff isn't affected by the 000+t barrier ... > AND the chattr +t cmd worked only correct after deleting old /vserver > dir. > I used it on old /vserver first but, after chattr +t /vservers i got: > lsattr -d /vservers > ------------- /vservers that is very unlikely, as the sole purpose of chattr +t is to change those flag, so an unchanged flag after chattr +t would be a bug in the e2fsprogs ... > thats the reason why exploit still worked, after upgrading to 1.24 ... > > But in the end i cant see any benefit to the chattr +i /vservers mehtod. > If i like to create an new vserver i have to chattr -i with old Vserver. > With 1.24 i need to chattr -t /vservers before i can create a new one. if done properly, that should not be required (probably other permissions are wrong in your setup too) > Is there another security issue in old ctx16 which i might don't know > yet, or am i secure (for the moment) with chattr +i ??? - procfs issues (might allow host reboot/scsi fun) - the kernel exploit fixed in 2.4.24 - chattr +i isn't really safe, if you 'disable' it (even for short periods of time) best, Herbert > greetinXs, > Michael Hilscher > -- > Would Mozart have been more productive if he had scribes to help him, a > secretary and a CEO to lead his way? -- Linus Torvalds > > _______________________________________________ > Vserver mailing list > [EMAIL PROTECTED] > http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
