From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Mon 02 May 2005 - 14:02:23 BST
On Mon, May 02, 2005 at 11:11:11AM +0200, Nicolas Costes wrote:
> Le Vendredi 29 Avril 2005 21:53, Oliver Dietz a écrit :
> > ok, lets do some brainstorming (comment: i'm no vserver specialist nor
> > can i write programs on linux):
> > [OK] Checking proc-fs [WARN]
> > found kmem-entry [...]
>
> Talking about that, I checked /proc on one of my vservers... Is this line
> a good thing ? Is it a potential security issue ?
usually (i.e. after vprocunhide) you have something like:
$ chcontext --ctx 100 ls /proc/
New security context is 100
1 devices iomem loadavg mounts slabinfo sysvipc
85 execdomains ioports locks net stat tty
cmdline filesystems kcore meminfo pci swaps uptime
cpuinfo interrupts kmsg misc self sys version
which looks a little _insecure_ at first glance, but
if you look a little closer ...
$ chcontext --ctx 100 --secure wc /proc/kcore
New security context is 100
wc: /proc/kcore: Operation not permitted
which should be sufficient, of course, you can always
hide that entry too, given that your userspace doesn't
look for it ...
HTH,
Herbert
> # ls -l /proc
> -r-------- 1 root root 939528192 mai 2 11:04 kcore
>
> Note: I have 1Gb ram on this box...
>
> --
> ,,
> (°> Nicolas Costes
> /|\ IUT de La Roche / Yon
> ( ^ ) Clé publique: http://www.keyserver.net/
> ^ ^ Musique libre: http://www.magnatune.com/
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver