About this list Date view Thread view Subject view Author view Attachment view

From: Klavs Klavsen (klavs_at_EnableIT.dk)
Date: Tue 05 Nov 2002 - 08:47:33 GMT


On Mon, 2002-11-04 at 22:47, Lars Braeuer wrote:
> can anyone tell me how it can be possible for a vserver
> admin to break out of the vserver, when the directory
> containing the vserver has any other mode than 000 ?
>
http://www.bpfh.net/simes/computing/chroot-break.html

in short: chroot (which is what vserver is based upon) is only safe,
when the user does not obtain root in the chroot jail.

you can also read some more abstract information of the value of chroot
and other solutions etc.
http://www.linuxgazette.com/issue30/tag_chroot.html

> or should the permissions be set for the dir of the actual vserver
> (/vserver/x/.) instead of the directory containing the vservers
> (/vserver/x/..) ?
>
it's /vservers that needs to be chmod 000 /vservers. The reason for that
is that the way the chroot problem has been fixed is that the kernel
checks for the access rights being 000, and if they are - even root are
not allowed to progress beyond them.

I'm not sure, if this means that root in one vserver, can actually enter
another because it's not chmod 000'ed - if he can guess the vserver
name? Anyone can answer that?
 

-- 
Regards,
Klavs Klavsen

--------------| This mail has been sent to you by: |------------ Klavs Klavsen - Open Source Consultant klavs_at_EnableIT.dk - http://www.EnableIT.dk

Get PGP key from www.keyserver.net - Key ID: 0x586D5BCA Fingerprint = 2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62 ---------------------------------------------------------------- Open Source Software - Sometimes you get more than you paid for. -- unknown


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 06 Nov 2002 - 07:03:43 GMT by hypermail 2.1.3