Re: Anyone tried the "vserver" patch?

• Previous message: Chris Wright: "Re: Anyone tried the "vserver" patch?"
• In reply to: Chris Wright: "Re: Anyone tried the "vserver" patch?"
• Next in thread: Valdis.Kletnieksat_private: "Re: Anyone tried the "vserver" patch?"
• Reply: Valdis.Kletnieksat_private: "Re: Anyone tried the "vserver" patch?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Chris Wright didn't really send that (or the other three bounce messages 
this morning).  "Full spool" bounces normally go into an admin box here 
@wirex, but apparently kdolanat_private's ISP (Verio) has a FUBAR'd mail 
server that is ignoring the Errors-to: header on LSM posts.

kdolanat_private has been disabled to prevent a recurrence, and 
veriomail.com has been chided.  Sorry for the disturbance.

Crispin

Chris Wright wrote:

>--===========================_ _= 6155395(1290+36392592)
>Content-Type: text/plain; charset=us-ascii
>Content-Transfer-Encoding: 7bit
>
>This Message was undeliverable due to the following reason:
>
>One or more of the recipients of your message did not receive it
>because they would have exceeded their mailbox size limit.  It
>may be possible for you to successfully send your message again
>at a later time; however, if it is large, it is recommended that
>you first contact the recipients to confirm that the space will be
>available for your message when you send it.
>
>User quota exceeded: SMTP <kdolanat_private>
>
>Please reply to <postmasterat_private>
>if you feel this message to be in error.
>
>
>--===========================_ _= 6155395(1290+36392592)
>Content-Type: message/delivery-status
>Content-Disposition: inline
>Content-Transfer-Encoding: 7bit
>
>Reporting-MTA: dns; dfw-spool1.email.verio.net
>Received-From-MTA:dns; dfw-smtpin2.email.verio.net (129.250.38.52)
>Arrival-Date: Tue, 11 Dec 2001 06:48:45 +0000
>
>
>--===========================_ _= 6155395(1290+36392592)
>Content-Type: message/rfc822
>Content-Disposition: inline
>Content-Transfer-Encoding: 7bit
>
>Return-Path: <linux-security-module-adminat_private>
>Received: from dfw-smtpin2.email.verio.net ([129.250.38.52]) by
>          dfw-spool1.email.verio.net (Netscape Messaging Server 4.15) with
>          ESMTP id GO62X901.DGG for <kdolanat_private>; Tue, 11 Dec 2001
>          06:48:45 +0000 
>Received: from [65.102.14.2] (helo=mail.wirex.com)
>	by dfw-smtpin2.email.verio.net with esmtp
>	id 16Dgid-0007Eb-00
>	for kdolanat_private; Tue, 11 Dec 2001 06:48:47 +0000
>Received: from mithra.wirex.com (localhost [127.0.0.1])
>	by mail.wirex.com (Postfix) with ESMTP
>	id 0FA5D3EC1C; Mon, 10 Dec 2001 22:49:02 -0800 (PST)
>Delivered-To: linux-security-moduleat_private
>Received: from figure1.int.wirex.com (cerebus.wirex.com [65.102.14.138])
>	by mail.wirex.com (Postfix) with ESMTP id 2365A3EC13
>	for <linux-security-moduleat_private>; Mon, 10 Dec 2001 22:48:21 -0800 (PST)
>Received: (from chris@localhost)
>	by figure1.int.wirex.com (8.11.6/8.11.6) id fBB6ddi16950;
>	Mon, 10 Dec 2001 22:39:39 -0800
>From: Chris Wright <chrisat_private>
>To: Jacques Gelinas <jackat_private>
>Cc: linux-security-moduleat_private
>Subject: Re: Anyone tried the "vserver" patch?
>Message-ID: <20011210223939.C3535at_private>
>References: <20011210124716.8d1b95128f43at_private>
>Mime-Version: 1.0
>Content-Type: text/plain; charset=us-ascii
>Content-Disposition: inline
>User-Agent: Mutt/1.2.5i
>In-Reply-To: <20011210124716.8d1b95128f43at_private>; from jackat_private on Mon, Dec 10, 2001 at 12:47:16PM -0500
>Sender: linux-security-module-adminat_private
>Errors-To: linux-security-module-adminat_private
>X-BeenThere: linux-security-moduleat_private
>X-Mailman-Version: 2.0rc1
>Precedence: bulk
>List-Help: <mailto:linux-security-module-requestat_private?subject=help>
>List-Post: <mailto:linux-security-moduleat_private>
>List-Subscribe: <http://mail.wirex.com/mailman/listinfo/linux-security-module>,
>	<mailto:linux-security-module-requestat_private?subject=subscribe>
>List-Id: Pluggable linux security module framework <linux-security-module.wirex.com>
>List-Unsubscribe: <http://mail.wirex.com/mailman/listinfo/linux-security-module>,
>	<mailto:linux-security-module-requestat_private?subject=unsubscribe>
>List-Archive: <http://mail.wirex.com/pipermail/linux-security-module/>
>Date: Mon, 10 Dec 2001 22:39:39 -0800
>
>* Jacques Gelinas (jackat_private) wrote:
>
>>You keep your current directory and do a chroot in a sub-directory. Then your
>>current directory is out of scope, compared to the new root. So you are free to
>>chdir("..") to the real root.
>>
>
>this is exactly what i'm referring to.  chroot("test") does not effect
>current working dir.  so chroot("..") breaks you right back out.
>it's still this way.  i have a simple program that illustrates this.
>
>but chroot(1) does chroot("test"), chdir("/").  now if you try and play
>with ".." you are already at the root of your jail, so you can't break
>out with "." or ".." tricks.  so, if you are running your escaperoot.cc
>test in a vserver, i believe you that it can't get out.
>
>hmmm, i just looked at escaperoot.cc, and it doesn't break out against
>a plain kernel (no vserver) without the changes below ...you may want
>to rerun your test??
>
>i had to take the chdir for loop out, it seems .. gets lost once you pass the
>real root.  i run the test from /tmp, so one chdir("..") is enough to get
>to the real root.
>
>cheers,
>-chris
>
>--- escaperoot.cc.orig	Mon Dec 10 21:21:10 2001
>+++ escaperoot.cc	Mon Dec 10 22:45:51 2001
>@@ -33,8 +33,12 @@
> 		fprintf (stderr,"Can't chroot into dummy_dir (%s)\n",strerror(errno));
> 	}else{
> 		// Try to chdir into the real root
>-		for (int i=0; i<1000; i++) chdir("..");
>+	//	for (int i=0; i<1000; i++) chdir("..");
>+		chdir("..");
> 		print_pwd();
>+		if (chroot(".") == -1) {
>+			fprintf(stderr,"couldn't break out (%s\n",strerror(errno));
>+		}
> 		if (execl ("/bin/sh","/bin/sh",NULL)==-1){
> 			fprintf (stderr,"execl /bin/sh failed (%s)\n",strerror(errno));
> 		}
>@@ -50,18 +54,20 @@
> 	printf ("test2\n");
> 	print_pwd();
> 	mkdir ("dummy_dir",0755);
>-	int fd = open (".",O_RDONLY);
>+	/* capture the real root before chroot */
>+	int fd = open ("/",O_RDONLY);
> 	if (fd == -1){
> 		fprintf (stderr,"Can't open current directory (%s)\n",strerror(errno));
> 	}else if (chroot ("dummy_dir")==-1){
> 		fprintf (stderr,"Can't chroot into dummy_dir (%s)\n",strerror(errno));
>-	}else if (fchdir(fd)==-1){
>+	}else if (fchdir(fd)==-1){ /* should be in real root now */
> 		fprintf (stderr,"Can't fchdir to the current directory (%s)\n"
> 			,strerror(errno));
> 	}else{
>-		// Try to chdir into the real root
>-		for (int i=0; i<1000; i++) chdir("..");
> 		print_pwd();
>+		if (chroot(".") == -1) { /* break out, back to real root */
>+			fprintf(stderr,"couldn't break out (%s\n",strerror(errno));
>+		}
> 		if (execl ("/bin/sh","/bin/sh",NULL)==-1){
> 			fprintf (stderr,"execl /bin/sh failed (%s)\n",strerror(errno));
> 		}
>
>_______________________________________________
>linux-security-module mailing list
>linux-security-moduleat_private
>http://mail.wirex.com/mailman/listinfo/linux-security-module
>
>--===========================_ _= 6155395(1290+36392592)--
>
>
>

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html




_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Valdis.Kletnieksat_private: "Re: Anyone tried the "vserver" patch?"
• Previous message: Chris Wright: "Re: Anyone tried the "vserver" patch?"
• In reply to: Chris Wright: "Re: Anyone tried the "vserver" patch?"
• Next in thread: Valdis.Kletnieksat_private: "Re: Anyone tried the "vserver" patch?"
• Reply: Valdis.Kletnieksat_private: "Re: Anyone tried the "vserver" patch?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 11 2001 - 10:25:37 PST