About this list Date view Thread view Subject view Author view Attachment view

From: Enrico Scholz (enrico.scholz_at_sigma-chemnitz.de)
Date: Tue 23 Sep 2003 - 13:24:28 BST


m.racine_at_free.fr ("Matthieu Racine") writes:

>> > chbind --ip <my_vserverip> --bcast <my_vserver_broadcast> chroot
>> > ${VSERVERS_ROOT}/${VSERVER_NAME} mount -t nfs
>> > <myNFSserverIP>:/partage/nfs/pro /mnt/pro
>>
>> This 'chroot' makes you vulnerably against attacks from inside
>> of the chroot
> ...
> so :
>
> cp -pf /bin/mount ${VSERVERS_ROOT}/${VSERVER_NAME}/bin/mount && chbind --ip
> blablabla....

Do not forget /lib/libc.so, the other libraries and the locale-data
and ... You have to empty /etc/mtab, too; an attacker could put
data in it which causes overflows.

When the vserver is running already (e.g. 'mount' happens in
post-start), this is not applicable at all because of possible
races.

But I do not see a real reason for the 'chroot'...

Enrico


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Tue 23 Sep 2003 - 14:12:10 BST by hypermail 2.1.3