On Wednesday 08 February 2006 09:05, Thorsten Büker wrote: > Dear list, > > making use of http://list.linux-vserver.org/archive/vserver/msg11839.html > I recently patched a 2.6.14.5-Kernel as my first contact with VServer. > After starting vprocunhide (from package util-vserver) on the Sarge system > I tried to create a first box: > > vserver vhost0 build -m debootstrap --hostname vhost0.DOMAINNAME.de > --force --context 50 -- -d sarge -m http://update.pureserver.info/debian > > > After extracting all packages the process breaks... > > W: Failure trying to run: chroot /etc/vservers/.defaults/vdirbase/vhost0 > mount -t proc proc /proc > > > ...while dmesg says: > > grsec: From MYIPADDRESS: denied mount of proc as > /home/vservers/vhost0/proc from chroot by > /home/vservers/vhost0/bin/mount[mount:105] uid/euid:0/0 gid/egid:0/0, > parent /var/tmp/debootstrap.6KTNNr/usr/sbin/debootstrap[debootstrap:5863] > uid/euid:0/0 gid/egid:0/0 > > > I assume this prevention is connected to Grsecurity's /proc-hiding, the > relevant parts of the current kernel configuration follow below. In case > this is correct, Grsecurity offers various ways of CONFIG_GRKERNSEC_PROC > -- but I've got no idea, which one is the right ;-) > Any advise from your side on a better configuration regarding the needs of > Vserver is appreciated!
heya, first thing... vserver uses capabilities... so you should make sure you disable capability restrictions, otherwise, your vservers will not work... these are my kernel options: CONFIG_VSERVER=y CONFIG_VSERVER_LEGACYNET=y # # Linux VServer # CONFIG_VSERVER_LEGACY=y # CONFIG_VSERVER_LEGACY_VERSION is not set CONFIG_VSERVER_DYNAMIC_IDS=y # CONFIG_VSERVER_NGNET is not set CONFIG_VSERVER_COWBL=y CONFIG_VSERVER_PROC_SECURE=y CONFIG_VSERVER_HARDCPU=y CONFIG_VSERVER_HARDCPU_IDLE=y # CONFIG_INOXID_NONE is not set # CONFIG_INOXID_UID16 is not set # CONFIG_INOXID_GID16 is not set CONFIG_INOXID_UGID24=y # CONFIG_INOXID_INTERN is not set # CONFIG_INOXID_RUNTIME is not set # CONFIG_XID_TAG_NFSD is not set CONFIG_XID_PROPAGATE=y CONFIG_VSERVER_DEBUG=y CONFIG_VSERVER_HISTORY=y CONFIG_VSERVER_HISTORY_SIZE=64 # # PaX # CONFIG_PAX=y # # PaX Control # CONFIG_PAX_SOFTMODE=y CONFIG_PAX_EI_PAX=y CONFIG_PAX_PT_PAX_FLAGS=y # CONFIG_PAX_NO_ACL_FLAGS is not set CONFIG_PAX_HAVE_ACL_FLAGS=y # CONFIG_PAX_HOOK_ACL_FLAGS is not set # # Non-executable pages # CONFIG_PAX_NOEXEC=y CONFIG_PAX_PAGEEXEC=y CONFIG_PAX_SEGMEXEC=y # CONFIG_PAX_DEFAULT_PAGEEXEC is not set CONFIG_PAX_DEFAULT_SEGMEXEC=y CONFIG_PAX_EMUTRAMP=y CONFIG_PAX_MPROTECT=y CONFIG_PAX_NOELFRELOCS=y CONFIG_PAX_KERNEXEC=y # # Address Space Layout Randomization # CONFIG_PAX_ASLR=y CONFIG_PAX_RANDKSTACK=y CONFIG_PAX_RANDUSTACK=y CONFIG_PAX_RANDMMAP=y CONFIG_PAX_NOVSYSCALL=y # # Grsecurity # CONFIG_GRKERNSEC=y # CONFIG_GRKERNSEC_LOW is not set # CONFIG_GRKERNSEC_MEDIUM is not set # CONFIG_GRKERNSEC_HIGH is not set CONFIG_GRKERNSEC_CUSTOM=y # # Address Space Protection # CONFIG_GRKERNSEC_KMEM=y CONFIG_GRKERNSEC_IO=y CONFIG_GRKERNSEC_PROC_MEMMAP=y CONFIG_GRKERNSEC_BRUTE=y CONFIG_GRKERNSEC_HIDESYM=y # # Role Based Access Control Options # CONFIG_GRKERNSEC_ACL_HIDEKERN=y CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=30 # # Filesystem Protections # CONFIG_GRKERNSEC_PROC=y CONFIG_GRKERNSEC_PROC_USER=y CONFIG_GRKERNSEC_PROC_ADD=y CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_FIFO=y CONFIG_GRKERNSEC_CHROOT=y CONFIG_GRKERNSEC_CHROOT_MOUNT=y CONFIG_GRKERNSEC_CHROOT_DOUBLE=y CONFIG_GRKERNSEC_CHROOT_PIVOT=y CONFIG_GRKERNSEC_CHROOT_CHDIR=y CONFIG_GRKERNSEC_CHROOT_CHMOD=y CONFIG_GRKERNSEC_CHROOT_FCHDIR=y CONFIG_GRKERNSEC_CHROOT_MKNOD=y CONFIG_GRKERNSEC_CHROOT_SHMAT=y CONFIG_GRKERNSEC_CHROOT_UNIX=y CONFIG_GRKERNSEC_CHROOT_FINDTASK=y CONFIG_GRKERNSEC_CHROOT_NICE=y CONFIG_GRKERNSEC_CHROOT_SYSCTL=y # CONFIG_GRKERNSEC_CHROOT_CAPS is not set # # Kernel Auditing # # CONFIG_GRKERNSEC_AUDIT_GROUP is not set # CONFIG_GRKERNSEC_EXECLOG is not set CONFIG_GRKERNSEC_RESLOG=y # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set CONFIG_GRKERNSEC_AUDIT_MOUNT=y # CONFIG_GRKERNSEC_AUDIT_IPC is not set CONFIG_GRKERNSEC_SIGNAL=y CONFIG_GRKERNSEC_FORKFAIL=y CONFIG_GRKERNSEC_TIME=y CONFIG_GRKERNSEC_PROC_IPADDR=y # CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set # # Executable Protections # CONFIG_GRKERNSEC_EXECVE=y CONFIG_GRKERNSEC_SHM=y CONFIG_GRKERNSEC_DMESG=y CONFIG_GRKERNSEC_RANDPID=y # CONFIG_GRKERNSEC_TPE is not set # # Network Protections # CONFIG_GRKERNSEC_RANDNET=y CONFIG_GRKERNSEC_RANDSRC=y # CONFIG_GRKERNSEC_SOCKET is not set # # Sysctl support # CONFIG_GRKERNSEC_SYSCTL=y CONFIG_GRKERNSEC_SYSCTL_ON=y # # Logging Options # CONFIG_GRKERNSEC_FLOODTIME=10 CONFIG_GRKERNSEC_FLOODBURST=4 # CONFIG_KEYS is not set # CONFIG_SECURITY is not set -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Disclaimer: By sending an email to ANY of my addresses you are agreeing that: 1. I am by definition, "the intended recipient" 2. All information in the email is mine to do with as I see fit and make such financial profit, political mileage, or good joke as it lends itself to. In particular, I may quote it on usenet. 3. I may take the contents as representing the views of your company. 4. This overrides any disclaimer or statement of confidentiality that may be included on your message. Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm _______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
