On Mon, 2002-11-04 at 22:47, Lars Braeuer wrote: > can anyone tell me how it can be possible for a vserver > admin to break out of the vserver, when the directory > containing the vserver has any other mode than 000 ? > http://www.bpfh.net/simes/computing/chroot-break.html
in short: chroot (which is what vserver is based upon) is only safe, when the user does not obtain root in the chroot jail. you can also read some more abstract information of the value of chroot and other solutions etc. http://www.linuxgazette.com/issue30/tag_chroot.html > or should the permissions be set for the dir of the actual vserver > (/vserver/x/.) instead of the directory containing the vservers > (/vserver/x/..) ? > it's /vservers that needs to be chmod 000 /vservers. The reason for that is that the way the chroot problem has been fixed is that the kernel checks for the access rights being 000, and if they are - even root are not allowed to progress beyond them. I'm not sure, if this means that root in one vserver, can actually enter another because it's not chmod 000'ed - if he can guess the vserver name? Anyone can answer that? -- Regards, Klavs Klavsen --------------| This mail has been sent to you by: |------------ Klavs Klavsen - Open Source Consultant [EMAIL PROTECTED] - http://www.EnableIT.dk Get PGP key from www.keyserver.net - Key ID: 0x586D5BCA Fingerprint = 2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62 ---------------------------------------------------------------- Open Source Software - Sometimes you get more than you paid for. -- unknown
