From: Jacques Gelinas (jack_at_solucorp.qc.ca)
Date: Tue 05 Nov 2002 - 19:26:35 GMT

• Next message: Jacques Gelinas: "re: [vserver] fakeinit, vreboot & friends"
• Previous message: mark.lawrence_at_holcim.com: "Re: [vserver] fakeinit, vreboot & friends"
• In reply to: Klavs Klavsen: "Re: [vserver] break out of the vserver? (if not chmod 000)"

On Tue, 5 Nov 2002 09:47:33 -0500, Klavs Klavsen wrote

> it's /vservers that needs to be chmod 000 /vservers. The reason for that
> is that the way the chroot problem has been fixed is that the kernel
> checks for the access rights being 000, and if they are - even root are
> not allowed to progress beyond them.
>
> I'm not sure, if this means that root in one vserver, can actually enter
> another because it's not chmod 000'ed - if he can guess the vserver
> name? Anyone can answer that?

No he can't because he has to open/lookup the /vservers directory and it
fails if the security context is not 0.

---------------------------------------------------------
Jacques Gelinas <jack_at_solucorp.qc.ca>
vserver: run general purpose virtual servers on one box, full speed!
http://www.solucorp.qc.ca/miscprj/s_context.hc

• Next message: Jacques Gelinas: "re: [vserver] fakeinit, vreboot & friends"
• Previous message: mark.lawrence_at_holcim.com: "Re: [vserver] fakeinit, vreboot & friends"
• In reply to: Klavs Klavsen: "Re: [vserver] break out of the vserver? (if not chmod 000)"