1146096010 M * Bertl please update to 0.30.210 (probably -7 from backports) 1146096018 M * brc ok 1146096044 Q * ntrs Ping timeout: 481 seconds 1146096116 M * brc running configure 1146096117 M * brc .. 1146096150 M * Bertl ah, building from scratch? 1146096150 M * brc btw, when the file does not end on the newline, the vserver starts. I just dont know if it is applying what it found on ccapabilites 1146096164 M * Bertl if so, don't forget to adjust the pathes 1146096185 M * Bertl no, it doesnt 1146096189 M * brc ok 1146096211 M * Bertl at least I remember such an issue 1146096962 J * ntrs ~ntrs@68-188-51-87.dhcp.stls.mo.charter.com 1146097044 M * brc finally finished 1146097355 M * brc /dev/hdb1 [/]: group quotas turned on 1146097359 M * brc /dev/hdb1 [/]: user quotas turned on 1146097360 M * brc :) 1146097390 M * Bertl good :) 1146097580 Q * doener_ Ping timeout: 480 seconds 1146097596 M * Bertl brc: now let's check if they behave well ... 1146097648 M * Bertl btw, could you upload the test-script somewhere (latest version), so that I could have a look at it and maybe even suggest improvements 1146097907 M * brc i am checking 1146097913 M * brc yes 1146097919 M * brc pastebin or you want somewhere to edit it ? 1146097933 M * Bertl doesn't matter 1146097943 M * brc teh diff had lot of stuff cause the test user has a different ID/GID. i am fixig that. 1146098029 M * brc the output where different 1146098032 M * brc i am sending everything to pastebin 1146098037 M * Bertl okay 1146098092 M * brc quota_teste: http://pastebin.com/684110 1146098210 M * brc output_2.6.16.1-vsX http://pastebin.com/684112 1146098249 M * brc output inside: http://pastebin.com/684113 1146098272 M * Bertl okay, we are still missing group limits, right? 1146098294 M * brc diff: http://pastebin.com/684114 1146098294 M * Bertl and most important, we do not have any change in user/group ownership yes 1146098297 M * Bertl *yet 1146098317 M * brc Yes! But i took note about all that the last time and going to implement 1146098429 M * Bertl okay, we need at least the uid ownership change before we can move on 1146098469 M * brc Ok made that a priority on the list and going to do that tomorrow 1146098475 M * brc dont you think we have a problem at "blocks" ?? 1146098495 M * brc They are always different 1146098562 M * Bertl well, I'd suggest to switch to printing offsets instead of values 1146098582 M * Bertl i.e. have the output _before_ you take some action 1146098598 M * Bertl then do whatever you test, and get the output _afterwards_ 1146098608 M * Bertl after that, only show the difference 1146098618 M * Bertl as in blocks_new - blocks_old 1146098656 M * brc just found out why the blocks where different 1146098666 M * brc there was another dir chowned as this user :) 1146098674 M * brc ( i had to change uid) 1146098701 M * brc So i wouldnt show everhything, just the differences ? 1146098740 M * brc What i do there is: output when there is not file for that user 1146098758 M * brc output when it hits half of the quota (a warning is given at this time from quota) 1146098758 M * Bertl IMHO that would help, of course, if you make sure that the filesystem is always in the same initial state, you do not ahve those issues 1146098783 M * brc Oops. half of the quota (no warnings), then soft limit reached (warning) then hard limit reached should give a error. 1146098807 M * brc I just got confuse at this time cause i was inside the vserver, and had to create users, etc. but from now on everything will be correct 1146098812 M * Bertl also the difference in the device should be coped with, but you could do the tests on the same filesystem (inside and outside) I'd guess 1146098866 M * brc I used rpl to replace hdb1 on the output to hda1 so there wouldn't be differences on the diff 1146099125 M * Bertl just looking for a tool which might help you 1146099219 M * brc ok 1146099577 Q * matta Ping timeout: 480 seconds 1146100010 M * Bertl ah, found it :) 1146100049 M * Bertl brc: http://vserver.13thfloor.at/Experimental/TOOLS/setugid.c 1146100121 M * brc cool 1146100128 M * brc so i will get nito a user and do something ? 1146100128 M * Bertl with this you should be able to make the test passwd/group independant 1146100157 M * brc hmm. i don't see how this will help me making independant 1146100163 M * brc a user with that id will need to exist 1146100165 M * Bertl IMHO the best would be to switch to numeric values 1146100173 M * brc uid 1146100175 M * Bertl brc: no, not at all 1146100193 M * Bertl try with uid/gid 1001 for example 1146100217 M * Bertl also the quota tools all support numeric ids too 1146100225 M * brc got it, always using uid 1001 and not user "test" 1146100285 M * brc anyway, i don't think that user/uid numbers will be a real problem since we are going to use the same vserver for all tests. aren't we ? :) 1146100325 M * daniel_hozac it would help to get reproducible tests that don't require that specific guest ;) 1146100331 M * Bertl brc: well, yes, but if you do not rely on user names, it becomes portable, and others can test too 1146100424 M * brc Ahh ok got it 1146100430 M * brc now i got the idea, good idea :) 1146100438 M * brc I will re-do the script tmorrow with all that fixed 1146100467 M * brc About the file ownership you said, will it just be a matter of chowning a file to the other user and checking quotas for both of them ? 1146100477 M * brc Just want to make sure so i won't do wrong stuff 1146100492 M * Bertl this is one aspect, the other one is implicit change in ownership 1146100541 M * daniel_hozac implicit change in ownership? 1146100578 M * Bertl yeah, well, in this case, context ownership 1146100612 M * Bertl starts with writing to an xid=0 tagged file, and ends with CoW link breaking 1146100634 M * Bertl brc: but I guess we can leave those details for later 1146100635 M * daniel_hozac ah. 1146100655 J * matta ~matta@c-68-32-202-140.hsd1.pa.comcast.net 1146100660 M * Bertl wb matta! 1146100732 M * brc hehe ok 1146100735 M * brc i was starting to get confused 1146100747 M * brc i took note about everything. giong to sleep and imlpement that tomorrow 1146100767 M * brc And if the script would check for the users/uids and fix them ? 1146100773 M * brc It would work anywhere 1146100780 M * brc but wouldn't be usefull for server in production :) 1146100781 M * Bertl okay, focus on simple tests, one or two repetitions 1146100805 M * brc Ok! 1146100810 M * brc good night bertl, daniel! 1146100818 M * Bertl good night! 1146100908 M * Bertl daniel_hozac: did you have a look at the sparse stuff? 1146100992 M * Bertl did see a lot of 'Using plain integer as NULL pointer' warnings 1146101106 M * daniel_hozac it seems to have quite a few bogus warnings. 1146101137 M * Bertl yeah, I'm also not sure if the cross diff did check the archs too, or suddenly just the sparse stuff 1146101285 M * daniel_hozac yeah, that was quite odd. there should be at least some warnings with different line numbers. 1146101339 M * Bertl yes, but maybe with identical warning/error count it does skip that? 1146101371 M * daniel_hozac perhaps... 1146101436 M * Bertl do you want to have a look at the code? I warn you, it's perl :) 1146101479 M * daniel_hozac haha, sure. 1146101554 M * Bertl Experimental/PLM 1146101726 M * Bertl it's very likely it got broken when they added the new filters 1146101778 M * Bertl okay, afk, brb shortly ... 1146102691 M * daniel_hozac yeah, if itÃ's the same status and the same amount of warnings/errors, it won't do the diff. 1146102754 M * daniel_hozac cross_compile_report:112 1146102842 M * Bertl okay, could we make that an option? 1146102917 M * Bertl or just a second version without that check if that is easier 1146113059 M * Bertl okay, I'm off to bed now .. have a good one! 1146113066 N * Bertl Bertl_zZ 1146113508 M * mugwump blast 1146113518 M * mugwump anyone know how to set a ccap ? 1146113527 M * mugwump (other than in the config file, I mean which command does it) 1146113562 J * _coocoon_ ~coocoon@p54A0540A.dip.t-dialin.net 1146115216 M * mugwump ah, vattribute 1146115968 J * Seck_ ~a@pool-141-150-89-157.nwrk.east.verizon.net 1146116162 Q * Seck_ Quit: 1146116572 Q * _coocoon_ Quit: KVIrc 3.2.0 'Realia' 1146117075 N * otaku42_away otaku42 1146117431 J * _coocoon_ ~coocoon@p54A0540A.dip.t-dialin.net 1146117736 M * mugwump ARGH 1146117769 M * mugwump sh-2.05b# chcontext --secure --cap mknod /bin/mknod /tmp/foo c 1 1 1146117769 M * mugwump Unknown capability 'mknod' 1146117797 M * mugwump magnus:/usr/lib/util-vserver# chcontext --secure --cap mknod /bin/mknod /tmp/foo c 1 1 1146117800 M * mugwump New security context is 49188 1146117802 M * mugwump /bin/mknod: `/tmp/foo': Operation not permitted 1146118439 M * mugwump yet a vserver with mknod in /etc/vservers/foo/ccapabilities works as expected. what I am doing wrong? 1146118595 Q * id23 Ping timeout: 480 seconds 1146119139 J * id23 ~id@p54A00B1E.dip0.t-ipconnect.de 1146119480 M * mugwump aha! old utils again 1146119492 M * mugwump foolish me, thinking 0.30.209 was current enough to get by 1146120193 A * mugwump gives up and goes home & 1146120652 J * baggins baggins@kenny.mimuw.edu.pl 1146120982 J * chelli ~thomas@PC1.ideolabs.TGZ-Ilmenau.de 1146122396 Q * cryo Ping timeout: 480 seconds 1146122848 J * cryo ~say@psoft.user.matrix.farlep.net 1146123256 J * pagano ~pagano@lappagano.cnaf.infn.it 1146123620 Q * Aiken Remote host closed the connection 1146123787 J * ||Cobra|| ~cob@146.50.22.204 1146123940 Q * ntrs Ping timeout: 480 seconds 1146123961 Q * matta jupiter.oftc.net helium.oftc.net 1146123961 Q * click_ jupiter.oftc.net helium.oftc.net 1146123961 Q * mountie jupiter.oftc.net helium.oftc.net 1146123961 Q * sladen jupiter.oftc.net helium.oftc.net 1146123961 Q * gerrit jupiter.oftc.net helium.oftc.net 1146123961 Q * derjohn jupiter.oftc.net helium.oftc.net 1146123961 Q * redtux jupiter.oftc.net helium.oftc.net 1146124023 J * alamar_ ~alamar@sol.diddens.de 1146124033 T * services.oftc.net http://linux-vserver.org/ | latest stable 2.01, 1.2.10, 1.2.11-rc1, devel 2.1.0, exp 2.{0.2,1.1}-rc17 | util-vserver-0.30.210 | libvserver-1.0.2 & vserver-utils-1.0.3 | He who asks a question is a fool for a minute; he who doesn't ask is a fool for a lifetime -- share the gained knowledge on the wiki, and we'll forget about the minute ;) 1146124093 Q * ray6 Ping timeout: 480 seconds 1146124116 Q * alamar Remote host closed the connection 1146124144 J * ksf ~krazy_sys@202.80.169.52 1146124421 J * ntrs ~ntrs@68-188-51-87.dhcp.stls.mo.charter.com 1146124500 Q * FireEgl Ping timeout: 480 seconds 1146124614 M * baggins Bertl_zZ: there is a serious problem with the vx_ccaps logic in kernel, /msg me when you wake up 1146124670 M * dev what kind of problem? 1146124733 M * baggins dev: try `hostname something` inside vserver from non-root 1146124945 M * dev what happens? 1146125001 M * baggins it works, but you should got EPERM 1146125054 M * baggins we have to s/!A && !B/!(A && B)/ in a lot of places in kernel patch 1146125124 M * dev you mean in mainstream? 1146125153 Q * _coocoon_ Remote host closed the connection 1146125170 M * baggins i'm sure of 2.1.1-pre, have to check the other patches 1146125311 M * dev :( 1146125568 M * baggins yes, this is serious, 2.0.1 is also vulnerable 1146125606 M * baggins :(((( 1146125690 M * dev is it a security issue? 1146125711 J * _coocoon_ ~coocoon@p54A0540A.dip.t-dialin.net 1146125739 M * eyck is 1.2.11 vulnerable? 1146125829 M * _coocoon_ hello having some problems with testme.sh output on x86_64, i am using suse 10. kernel: 2.6.16.8-vs2.1.1-rc17-default, getting error chbind: symbol lookup error: chbind: undefined symbol: vc_set_ipv4root 1146125902 M * _coocoon_ vserver-info: http://phpfi.com/114997 1146125935 J * FireEgl Atlantica@Atlantica.Tcldrop.Com 1146125975 M * _coocoon_ other error message is chbind failed! ipv4root is now 127.0.0.1 1146126047 M * baggins eyck: I don't think so, at least I don't see the code that is responsible for it there 1146126100 M * eyck baggins: thanks. 1146126531 M * _coocoon_ ok another question, maybe there can anyone help me, first of all having problems to activate dietlibc during configuring util-vserver util-vserver-0.30.210, on my amd64 1146126544 M * _coocoon_ Use dietlibc: no (you have been warned) 1146126567 M * _coocoon_ if i am using -enable-dietlibc switch make fails 1146126596 M * _coocoon_ it is a known problem with x86_64 i have read but how to solve this 1146127815 Q * _coocoon_ Remote host closed the connection 1146127984 Q * shedi Quit: Leaving 1146129724 J * W0nka produziert@chaos.in-kiel.de 1146129725 Q * Wonka Read error: Connection reset by peer 1146130419 M * otaku42 hi all. 1146130460 M * otaku42 i use vserver on debian sarge. question: how can i make a vserver bein started automatically when the host is booting? 1146130485 M * otaku42 i found a notice about how to do that with the old configuration scheme, but i'm running on the new scheme. 1146130847 M * baggins dev: http://sith.mimuw.edu.pl/~baggins/vserver/delta-ccaps-fix.diff 1146130874 M * baggins dev: patch is against 2.1.1-rc17, adapting it for 2.0.1 shouldn't be a problem 1146131028 J * ScoobyD00 ~foo@80-195-186-201.cable.ubr08.newm.blueyonder.co.uk 1146131061 M * ScoobyD00 does anybody know how to run iptables in a vserver guest? 1146131100 M * otaku42 ScoobyD00: i'm quite new to vserver, but i vaguely remember that i've read that iptables can only be run on the host 1146131101 M * Hollow ScoobyD00: won't work (at least as in 'virtualized iptables') 1146131137 M * ScoobyD00 i thought if i set NET_ADMIN it could control as if the host was doing it? 1146131157 M * Hollow yes, thats why i said as in 'virtualized iptables' 1146131161 M * ScoobyD00 i dont want iptables rules within a guest, just managed from a guest 1146131189 M * ScoobyD00 ok, thanks Hollow - i move it back to the host :o) 1146131202 M * Hollow good idea :) 1146131230 M * Hollow otaku42: /etc/vservers//apps/init/mark 1146131238 M * otaku42 Hollow: gracias :) 1146131242 M * Hollow then put all marks you want to start in the init script 1146131256 M * otaku42 Hollow: erm... marks? 1146131260 M * Hollow e.g.: 1146131271 M * Hollow echo default > /etc/vservers/foo/apps/init/mark 1146131275 M * Hollow will be started always 1146131289 M * Hollow echo othervsgroup > /etc/vserver/bar/apps/init/mark 1146131299 M * Hollow you have to tell the init script to start othervsgroup 1146131310 M * Hollow so you can fine tune what to start and what not 1146131316 M * Hollow and also make dependencies 1146131332 M * Hollow the flower page should have the details 1146131337 M * otaku42 Hollow: ah, now i get it, thanks 1146131350 M * otaku42 Hollow: checking the flowerpage about the marks stuff now, thanks 1146131356 M * Hollow you're welcome! 1146131466 M * Hollow baggins: did you patch all occurences? 1146131491 M * Hollow (i verified it for 2.0.1) 1146131728 M * baggins Hollow: I think so (ccaps at least) 1146131751 M * baggins Hollow: other vx_ccaps calls looked good to me 1146131784 M * Hollow ok, as this seems very serious i will file a private GLSA in the first place 1146131799 M * Hollow (dunno which distro you are on though..) 1146131814 M * dev Hollow: what is GLSA? 1146131821 M * Hollow gentoo linux security advisory 1146131824 M * dev ahh 1146132169 Q * ScoobyD00 Quit: 1146132397 M * baggins Hollow: BTW, I already sent this patch to Herbert 1146132513 M * Hollow ok, good 1146133613 M * daniel_hozac baggins: that patch won't work. 1146133655 M * daniel_hozac baggins: that requires the guest to have CAP_SYS_ADMIN to set the hostname... making the context capability useless. 1146133772 M * daniel_hozac (since you _never_ want your guests to have that) 1146133830 M * daniel_hozac basically, your patch renders the context capabilities useless. 1146133948 M * baggins daniel_hozac: I'm building patched kernel now, and I will test it 1146133964 M * daniel_hozac baggins: i can promise you, you won't be able to set the hostname from within guests at all now. 1146133991 M * daniel_hozac or use quotas, or virtualized dmesg, or mounting. 1146134260 M * Hollow daniel_hozac: mhm, but nevertheless you can reproduce the issue as well? 1146134297 M * baggins daniel_hozac: and _some_ fix is needed, I don't want mu lusers to chenge their ow quotas 1146134302 M * daniel_hozac yes, i can see why users are able to use it. 1146134342 M * Hollow imo the logic should be vice versa.. 1146134352 M * Hollow if (CAP_SYS_ADMIN || VXC_SET_UTSNAME) 1146134357 M * daniel_hozac that's what it is. 1146134363 M * daniel_hozac except negated. 1146134376 M * daniel_hozac !(x || y) == !x && !y 1146134381 M * Hollow no, i mean do not return EPERM then, but do the stuff 1146134391 M * daniel_hozac well, you'll get the exact same results. 1146134407 M * daniel_hozac but you'd have to indent an extra tab for each permission check... 1146134435 M * Hollow hm.. 1146134466 M * Hollow how is it supposed to be? have both sys_admin and set_utsname to be set? 1146134471 M * Hollow or just one of them? 1146134521 M * daniel_hozac you _never_ want to give CAP_SYS_ADMIN to a guest. 1146134535 M * Hollow indeed. 1146134535 M * daniel_hozac but checking for just set_utsname will let users do it as well. 1146134536 M * daniel_hozac http://daniel.hozac.com/vserver/delta-ccaps-fix01.diff 1146134540 M * daniel_hozac q'n'd patch. 1146134561 M * Hollow eh? 1146134586 M * daniel_hozac all guests should have CAP_CHOWN, so checking for it makes sure we only allow the root user. 1146134595 M * daniel_hozac (as i said, dirty) 1146134675 M * Hollow i always thought a normal user is also able to chown ;) 1146134690 M * daniel_hozac nope. 1146134703 M * Hollow now you confuse me 1146134709 M * daniel_hozac a user cannot chown. 1146134738 M * Hollow damn.. 1146134745 M * Hollow you're right :P 1146134773 M * daniel_hozac would be rather easy to gain root if you could... 1146134783 M * daniel_hozac just make yourself a setuid binary and chown it to root. 1146134810 M * Hollow yes.. i wonder what made me think of it.. i never even tried i guess (at least as non-root) 1146134935 M * Hollow daniel_hozac: so, since we're basically able to strip every ccap from a guest, is there even the possibility of a non-dirty patch? :) 1146134967 M * daniel_hozac i guess you mean bcap? 1146134972 M * Hollow sure 1146134984 M * daniel_hozac we could just check the effective uid i guess. 1146134986 M * Hollow i should better stop talking, i'm too confused today 1146135025 M * daniel_hozac hehe, i know that feeling :) 1146135032 M * Hollow :) 1146135261 M * daniel_hozac current->euid == 0? or which of {,e,r,s}uid is the appropriate one? 1146135291 M * Hollow daniel_hozac: ok, so i have to decide in the glsa form whether arbitrary code execution is possible or 'just' privilege escalation.. what do you think? 1146135303 M * Hollow daniel_hozac: i never really got the differences :o 1146135310 M * Hollow (between e,r,s) 1146135314 M * daniel_hozac privilege escalation. 1146135318 M * Hollow ok, thought so 1146135320 M * daniel_hozac me neither. 1146135326 M * daniel_hozac which is why i'm asking :) 1146135331 J * _coocoon_ ~coocoon@p54A0540A.dip.t-dialin.net 1146135334 M * Hollow heh 1146135347 M * daniel_hozac i don't see how you'd get arbitrary code execution. 1146135362 M * daniel_hozac you just get a few more privileges than you should have. 1146135394 M * baggins uid check is also dirty, we'll be reintroducing something that capabilities where supposed to replace 1146135522 M * daniel_hozac so what would you consider the canonical way to determine if current is run by root? 1146135570 Q * softi42 Ping timeout: 480 seconds 1146135730 M * baggins i'm thinking about it, one solution is to add soemthing like vx_capable() 1146135742 M * baggins i have to rethink the problem... 1146135747 M * daniel_hozac ... that's what vx_ccaps and vx_bcaps are... 1146135875 M * Hollow hm, has anyone verified it for 1.2? 1146135940 M * daniel_hozac 1.2 is a completely different codebase. does it even have ccaps? 1146135947 M * Hollow well, we could introduce a dummy capability that can't be removed from contexts and does nothing 1146135953 M * baggins Hollow: I only poked the code and don't see it 1146135961 M * Hollow but this isn't a good idea since no capability number is free anymore, right? ;) 1146136004 M * daniel_hozac indeed. 1146136118 J * softi42 ~softi@p549D503C.dip.t-dialin.net 1146136175 Q * pagano Ping timeout: 480 seconds 1146136632 M * Hollow baggins: may/should i add you to the CC of the GLSA? 1146137055 M * baggins Hollow: you may, but I don't use gentoo 1146137076 M * Hollow well, just thought you want to be credited or such.. 1146137458 M * baggins Hollow: that would be nice :) 1146137484 M * baggins Hollow: baggins@pld-linux.org 1146137511 M * daniel_hozac heh. 1146137557 M * Hollow :) 1146137653 M * Hollow oh, hm... i can't add you to cc unless you have an account, so i just mention it in the glsa.. 1146137654 M * baggins daniel_hozac: I'm not able to think of any fix other than adding uid == 0 check to vx_ccaps() :( 1146137678 M * daniel_hozac baggins: which uid then? :) 1146137701 M * baggins now that is the question :) 1146137707 Q * Smutje Remote host closed the connection 1146138834 M * baggins daniel_hozac: euid is my guess, try `chmod u+s /bin/id ; /bin/id` ;) 1146139219 J * Smutje ~Smutje@xdsl-87-78-98-134.netcologne.de 1146140689 J * pagano ~pagano@lappagano.cnaf.infn.it 1146140946 M * baggins daniel_hozac: a better idea - clear vx_info->{b,c}caps for non root processes 1146141335 M * Hollow isn't vxi per-context, and not per-process? 1146141467 M * baggins ah, could be, I see in the patch that it just copy the pointers not the contents 1146141526 M * Hollow but you could add the ccaps to the process, just beside the normal caps, no? 1146141548 M * baggins so we are left with http://sith.mimuw.edu.pl/~baggins/vserver/delta-ccaps-fix02.diff 1146141592 M * baggins personally i don't like it, but i see no other way 1146141867 M * baggins Hollow: all I see in task_struct is: 1146141872 M * baggins + struct vx_info *vx_info; 1146141875 M * baggins + struct nx_info *nx_info; 1146141878 M * baggins + xid_t xid; 1146141881 M * baggins + nid_t nid; 1146141962 J * doener ~doener@i5387D001.versanet.de 1146141988 M * baggins ccaps are global context capabilities as I see it, i.e. the context is capable, not processes 1146142098 M * Hollow yes, but you could just add another kernel_cap_t to the task_struct as a copy of the ccaps in vxi, and clear it if non-root 1146142213 M * Hollow this on the other would mean you have to update all copies in root processes if you update those in vxi 1146142293 M * baggins or set it to something that means "don't look here, check vx_info instead" for root processes 1146142322 M * baggins or just set vx_info to NULL for non-root processes 1146142354 M * baggins but NULL setting may have unwanted side effects 1146142470 M * baggins maybe something like this: if (current->vx_ccaps != 0) then current->vx_info->vx_ccaps 1146142545 M * Hollow do you know the file/line where caps are dropped currently? 1146142575 M * baggins not yet, I'm looking for it :) 1146142589 M * Hollow heh, kernel grepping is a pita 1146142617 M * baggins kernel/fork.c or kernel/sys.c should be close 1146142969 J * kilgur user@p50811AB6.dip0.t-ipconnect.de 1146142976 J * sladen paul@starsky.19inch.net 1146142978 J * redtux ~redtux@pc199.pub.univie.ac.at 1146142980 J * shedi ~siggi@tolvudeild-201.lhi.is 1146142985 J * matta ~matta@c-68-32-202-140.hsd1.pa.comcast.net 1146142988 J * click click@ti511110a080-3573.bb.online.no 1146142995 J * derjohn ~derjohn@80.69.37.19 1146143004 J * gerrit ~gerrit@c-67-160-146-170.hsd1.or.comcast.net 1146143095 M * baggins Hollow: security/commoncap.c line 261, function cap_task_post_setuid 1146143138 M * Hollow yay, thanks 1146143139 M * Hollow :P 1146143326 J * restill ~restill@c-24-11-171-10.hsd1.mi.comcast.net 1146143526 M * Hollow so, what about a bool (int) that states whether cap_emulate_setxuid has been called to clear the normal caps => don't check vxi->vx_ccaps anymore 1146143827 Q * matta Ping timeout: 480 seconds 1146143830 M * baggins sounds good to me 1146143855 M * Hollow daniel_hozac: what do you think? 1146143863 M * Hollow and, espeically, what does Bertl think :) 1146143871 M * Hollow but it think it could work 1146143919 M * baggins Bertl_zZ: wake up, there's coding to do ;) 1146143923 M * Hollow heh 1146143939 M * Hollow need sth to eat, brb 1146144042 Q * brc Ping timeout: 480 seconds 1146144145 Q * _coocoon_ Remote host closed the connection 1146144194 Q * VooDooMaster Quit: Beware of programmers who carry screwdrivers. 1146144608 Q * ksf Quit: 1146144671 J * lilalinux ~plasma@dslb-084-058-219-087.pools.arcor-ip.net 1146145276 Q * pollux Remote host closed the connection 1146145354 J * matta ~matta@c-68-32-239-173.hsd1.pa.comcast.net 1146145355 M * daniel_hozac Hollow: that sounds just like adding another capability, without adding another capability :) 1146145378 M * Hollow yes, that's the idea :D 1146145700 M * baggins brb 1146145705 Q * baggins Quit: leaving 1146146407 Q * chelli Quit: Verlassend 1146146587 J * baggins baggins@kenny.mimuw.edu.pl 1146147153 J * pollux foobar@image4.cpe.fr 1146147714 J * _coocoon_ ~coocoon@p54A0799E.dip.t-dialin.net 1146148156 Q * _coocoon_ Quit: KVIrc 3.2.0 'Realia' 1146148173 Q * ||Cobra|| Remote host closed the connection 1146148269 M * otaku42 question: if i bind a daemon to 127.0.0.1 in a guest, will it be reachable from inside other guests? 1146148381 M * daniel_hozac yes, because 127.0.0.1 is rewritten to the first IP address of the guest. 1146148487 M * otaku42 daniel_hozac: does that mean that external users (who are neither on the host nor on any of the guests) can also connect to that daemon, unless i have appropriate netfilter rules set up? 1146148605 M * daniel_hozac yes. 1146148616 M * otaku42 daniel_hozac: oh. good to know, thanks. 1146149464 N * Bertl_zZ Bertl 1146149477 M * Bertl morning folks! 1146149491 M * Bertl baggins: ah? 1146149510 J * mountie ~mountie@CPEdeaddeaddead-CM000a739acaa4.cpe.net.cable.rogers.com 1146149533 M * Bertl welcome mountie! 1146149703 M * nebuchadnezzar hello Bertl, it seems you have some work :-) 1146149738 M * Bertl ah, just read it, yeah, should be || instead of && 1146149755 M * daniel_hozac hmm? 1146149763 M * daniel_hozac that makes them useless. 1146149770 M * daniel_hozac you'll need CAP_SYS_ADMIN too. 1146149776 M * Bertl !capable(CAP_SYS_ADMIN) || !vx_ccaps(VXC_SECURE_REMOUNT) 1146149792 M * Bertl according to logics that is identical to 1146149802 M * Bertl !(capable(CAP_SYS_ADMIN) && vx_ccaps(VXC_SECURE_REMOUNT)) 1146149807 M * daniel_hozac which i've already said is completely wrong :) 1146149822 M * baggins Bertl: dump that patch to bit bucket where it belongs 1146149826 M * daniel_hozac http://sith.mimuw.edu.pl/~baggins/vserver/delta-ccaps-fix02.diff 1146149829 M * Bertl ahh, it's morning ... 1146149848 M * Bertl have to get some breakfast first ... 1146149853 M * baggins Bertl: fix02 is the correct one 1146149890 A * baggins have to go, be back later 1146149984 M * Bertl hmm, I don't like fix02 either .. 1146149996 M * daniel_hozac i don't think anyone does :) 1146149997 M * baggins Bertl: me neither :) 1146150035 M * baggins but it's better than allowing any user to set hostname, edit quotas or mount something 1146150056 M * Bertl nah, we implement the bcaps mask as discussed 1146150073 M * daniel_hozac well, how does that fix the ccaps? 1146150091 M * daniel_hozac you still don't want to give all of CAP_SYS_ADMIN to guests. 1146150102 M * Bertl it's simple 1146150121 M * Bertl root inside a guest then has two bcaps, call them bcaps and bcaps' 1146150152 M * Bertl one is the value the task has assigned, the other the one the permission check uses _after_ masking it with the bcapmask 1146150165 M * Bertl the vx_ccaps(VXC_SECURE_REMOUNT) becomes: 1146150173 M * Bertl vx_ccaps(VXC_SECURE_REMOUNT, CAP_SYS_ADMIN) 1146150226 M * Bertl with the following logic 1146150270 M * Bertl (bcaps & CAP_SYS_ADMIN) && ((bcaps' & CAP_SYS_ADMIN) || (ccaps & VXC_SECURE_REMOUNT)) 1146150304 M * daniel_hozac ah, i see. clever. 1146150405 M * Bertl can you do a script which finds all the cases we have to inspect? 1146150421 M * Bertl I guess they will match a quite simple scheme 1146150454 M * daniel_hozac won't pretty much every vx_ccaps invocation need that sort of thing? 1146150470 M * Bertl no 1146150478 M * Bertl well, maybe 1146150502 M * Bertl definitely all which do check on caps which are _not_ given to guests 1146150536 M * daniel_hozac isn't that the purpose of the ccaps? to give smaller slices of larger bcaps? 1146150541 M * Bertl but I agree, probably it's easier to inspect all of them 1146150551 M * daniel_hozac there aren't that many. 1146150619 M * daniel_hozac 7 files, 22 invocations. 1146150622 M * Bertl okay, let's do that step by step 1146150629 M * Bertl first, the bcap mask 1146151317 Q * pagano Ping timeout: 480 seconds 1146151655 J * Viper0482 ~Viper0482@p54975DD4.dip.t-dialin.net 1146151970 M * Bertl welcome Viper0482! 1146152964 J * orzel ~orzel@freehackers.org 1146152971 M * Bertl welcome orzel! 1146152976 M * orzel guys, i want ipv6 quick ! :) 1146152984 M * orzel Bertl: you're a bot ? :) 1146152986 M * Bertl hand over the money then :) 1146152999 M * orzel Bertl: where are you ? 1146153009 M * orzel .at ? 1146153013 M * Bertl currently at home, yes 1146153070 M * orzel forwarding port is not fun, and if i want to have several web servers on different vservers i have two choices 1146153080 M * orzel apache proxying (beurk), or ipv6 (great :) 1146153103 M * Bertl it's on our todo list, IMHO you have two options here 1146153114 M * Bertl 1) sponsor ipv6 development 1146153117 M * orzel three. i can code, pay, or wait 1146153121 M * Bertl 2) get your ahnds dirty and code 1146153141 M * Bertl yeah, well, wait doesn't solve the 'quick' aprt :) 1146153146 M * Bertl *part 1146153161 M * orzel coding ipv6 on a virtualized server. GEEEEEE, i'm said to be good at code, but i dont think i could do that... 1146153189 M * orzel that would mean hacking the patched kernel, right ? 1146153190 M * Bertl but you might help with testing, if you have ipv6 knowledge 1146153208 M * orzel actually i think ipv6 would be the biggest pb, especially wrt to the implementation. 1146153233 M * orzel my knowledge of ipv6 is :i've got an almost workign ipv6 here. that i would be easy to use for testing vservers 1146153268 M * orzel my vservers are on my gateway. fortunately ipv6 still works on the non-virtual computer, so i still have ipv6 connectivity in the flat 1146153294 M * orzel if you were on freenode (as everybody) you would see i'm connecting using ipv6 :) 1146153338 M * Bertl well, not everybody is on freenode :) 1146153380 Q * orzel Remote host closed the connection 1146153393 J * _orzel ~orzel@berlioz.ethernet.freehackers.org 1146153402 M * Bertl wb _orzel! 1146153414 M * _orzel m irc6.oftc.net is not really ipv6... 1146153426 M * _orzel ah!, it is 1146153429 M * _orzel just i've changed my name 1146153432 N * _orzel orzel 1146153436 M * orzel ecco :) 1146153701 M * Bertl well, basically you could start right now with creating ipv6 test scenarios 1146153744 M * Bertl http://vserver.13thfloor.at/Stuff/TEST/ 1146153755 M * Bertl this is what we test on ipv4 atm 1146154041 J * bonbons ~bonbons@83.222.37.206 1146154048 M * Bertl welcome bonbons! 1146154072 Q * shedi Read error: Connection reset by peer 1146154810 M * bonbons Hi Bertl! 1146154831 M * Bertl bonbons: orzel is interested in (helping with) ipv6 :) 1146154867 M * orzel i'm interested in having ipv6, and i (might) help testing :) 1146155023 J * phreak`` ~phreak``@styx.xnull.de 1146155097 N * otaku42 otaku42_away 1146155176 J * llexpoiuy mirtillo@151.80.11.222 1146155183 M * Bertl welcome llexpoiuy! 1146155198 P * llexpoiuy 1146155305 M * bonbons Bertl, orzel: Ok, I need to check my current patch for completeness and do some own testing first, will be during the week-end 1146155330 M * Bertl okay, would appreciate a prerelease to that ... 1146155352 M * bonbons this evening and tomorrow I won't get time to do much 1146155405 M * bonbons Bertl, what do you mean by 'prerelease'? alpha-kind, beta kind? 1146155466 M * orzel oh, great. 1146155477 M * orzel i'll stay lying on this chan, then 1146155487 M * orzel 'hidling', even 1146155501 A * orzel idle_task() 1146155504 M * Bertl make that ... 1146156107 J * _coocoon_ ~coocoon@p54A05EF0.dip.t-dialin.net 1146156116 M * _coocoon_ hello 1146156116 M * Bertl welcome _coocoon_! 1146156120 M * _coocoon_ hello bertl 1146156233 Q * Viper0482 Ping timeout: 480 seconds 1146156518 J * coocoon3 ~coocoon@p54A0547C.dip.t-dialin.net 1146156774 Q * _coocoon_ Ping timeout: 480 seconds 1146156786 J * Viper0482 ~Viper0482@p54974F04.dip.t-dialin.net 1146157212 Q * knotty Quit: Parti Ailleurs 1146157579 Q * gerrit Ping timeout: 480 seconds 1146158219 Q * lilalinux Ping timeout: 480 seconds 1146158740 J * lilalinux ~plasma@dslb-084-058-241-076.pools.arcor-ip.net 1146158997 M * daniel_hozac Bertl: are you working on the mask bcaps thing now? 1146159009 M * Bertl yup 1146159027 M * Bertl first part is already done 1146159036 M * Bertl will upload patches shortly 1146159059 M * daniel_hozac ok, cool. 1146159263 M * Bertl I'm just not sure how we should present the caps to the guest tasks 1146159270 M * Bertl i.e. masked or unmasked 1146159306 M * daniel_hozac present as in capget? 1146159323 M * Bertl masked would reflect the actual situation, unmasked would probably allow things like bind to work :) 1146159375 M * daniel_hozac well, either one would make BIND work. (as long as sys_capset is allowed to set capabilities that the guest doesn't have) 1146159376 M * Bertl but I think we should stay with the current view 1146159410 M * Bertl or maybe make proc masked, but capget unmasked? 1146159444 M * daniel_hozac i guess that makes sense. 1146159508 M * Bertl okay, guess we are on the right road here 1146159556 M * Bertl here is the first step (IMHO) 1146159564 M * Bertl http://vserver.13thfloor.at/Experimental/delta-capbset_feat01.diff 1146159578 M * Bertl we move the cap_bset into a separate vx_info field 1146159599 M * Bertl (basically virtualizing cap_bset, will get a syscall command to set it later) 1146159631 M * Bertl note: this immediately disables the bcap security 1146159673 M * daniel_hozac vx_cap_bset vs. vx_bcaps? 1146159685 M * Bertl yep, vx_bcaps will be the capmask 1146159703 M * Bertl while vx_cap_bset now becomes the cap_bset 1146159725 M * daniel_hozac i guess i fail to see the difference between them. 1146159744 M * Bertl well, vx_cap_bset is used where cap_bset would be 1146159756 M * Bertl nothing changed here to an unpatched kernel 1146159771 M * daniel_hozac what is cap_bset? 1146159784 M * Bertl the upper bound of caps in the cap system 1146159790 Q * kilgur Quit: Trillian (http://www.ceruleanstudios.com 1146159792 M * Bertl a global variable 1146159853 M * Bertl previously we mixed both into one 1146159868 M * Bertl i.e. the initial cap_bset was also the mask to apply everytime 1146159902 M * daniel_hozac does that need to be virtualized? 1146159916 M * Bertl well, not necessarily, but it won't hurt to have it 1146159936 M * Bertl i.e. it should not be measurable but it might come handy 1146159956 M * daniel_hozac ok. 1146160016 M * Bertl just checking, IIRC sysctl allows to set the 1146160018 M * Bertl *that 1146160047 M * Bertl we might want to consider initializing the guest to cap_bset though 1146160087 Q * phreak`` Quit: leaving 1146160100 M * daniel_hozac yeah. 1146160129 J * phreak`` ~phreak``@140.211.166.183 1146160133 M * Bertl okay, care to prepare a mini-fix for that? 1146160265 M * daniel_hozac +new->vx_cap_bset = CAP_INIT_EFF_SET; -> +new->vx_cap_bset = cap_bset;? 1146160270 M * Bertl yep 1146160386 M * daniel_hozac http://daniel.hozac.com/vserver/delta-capbset-feat01.1.diff 1146160393 M * Bertl excellent, tx! 1146160433 M * daniel_hozac are you waiting with rc18 for this? 1146160448 M * Bertl somewhat ... 1146160467 J * _mountie ~mountie@trb229.travel-net.com 1146160469 M * Bertl I ahve -rc18 here but it shows strange behaviour in regard of ip info 1146160487 M * daniel_hozac hmm? nioctl? or lo? 1146160510 M * Bertl not sure yet, checking ... 1146160520 J * gerrit ~gerrit@bi01p1.co.us.ibm.com 1146160522 M * Bertl I somewhat suspect my test setup, actually :) 1146160526 M * Bertl wb gerrit! 1146160536 M * Bertl .procname = "cap-bound", 1146160536 M * Bertl .data = &cap_bset, 1146160548 M * Bertl yep, it's named differently but part of sysctl 1146160842 M * mef hello 1146160850 M * Bertl hey mef! 1146160857 M * mef did you get a chance to read the paper? 1146160877 M * Bertl not yet, but I already downloaded it :) 1146160890 M * mef downloaded? 1146160893 M * mef I emailed it to you. 1146160903 M * mef Its not on the web anywhere. 1146160908 M * mef Only an old version is. 1146160910 M * Bertl yes, but email is remote ... 1146160917 M * mef sure 1146160929 Q * mountie Ping timeout: 480 seconds 1146160937 M * mef would love to know what you think! 1146160944 M * Bertl will tell you for sure ... 1146160966 J * glen_ ~glen@elves.delfi.ee 1146160980 M * Bertl welcome glen_! 1146160984 M * glen_ hello 1146160984 M * mef It needs some work in section 3 to smooth out the rough corners, fill in some gaps, as well as add anything that was left out. 1146161005 M * glen_ is it possible to configure vserver with internet access but not having interfaces/x with ip to public ip? 1146161033 M * daniel_hozac you could use NAT. 1146161048 M * glen_ because it can't reach the default gw 1146161066 M * Bertl hmm? 1146161083 M * glen_ or maybe it's possible to give interfaces/X an access but don't let 0.0.0.0 use it? 1146161109 M * Bertl please try to give us an idea how your network setup looks like 1146161115 M * glen_ daniel_hozac: like -j MASQUERADE for self? 1146161129 M * daniel_hozac -j SNAT. 1146161170 M * glen_ will it work for self originating packets? 1146161253 M * glen_ ie my setup is like: http://haarber.alkohol.ee/builder.txt 1146161281 M * glen_ i want to have full internet inside vserver, but i don't want listen on *:* bind on the public ip 1146161324 M * glen_ i have openvpn running inside, so i would still need to be able to bind to public ip 1146161331 M * glen_ is such thing possible that i want? 1146161501 M * glen_ daniel_hozac: like iptables -A POSTROUTING -t nat -s $internal_ip -j SNAT --to $public_ip ? 1146162013 J * _mountie_ ~mountie@CPEdeaddeaddead-CM000a739acaa4.cpe.net.cable.rogers.com 1146162147 J * the_hydra ~a_mulyadi@202.59.168.5 1146162155 M * Bertl welcome the_hydra! 1146162161 M * the_hydra hello bert! 1146162176 M * the_hydra a really boring day :| 1146162196 M * Bertl I'd like to disagree :) 1146162196 M * the_hydra explaining about ELF somehow become a daunting task for me :+ 1146162217 M * the_hydra hehe, feel free to disagree :) 1146162243 M * Bertl daniel_hozac: okay, it seems to be related to my setup 1146162267 M * Bertl although I have no idea how this can happen 1146162422 M * Bertl daniel_hozac: http://vserver.13thfloor.at/Experimental/delta-mbcap-feat01.diff 1146162474 Q * _mountie Ping timeout: 480 seconds 1146162778 M * Bertl http://vserver.13thfloor.at/Experimental/TOOLS/vcmd-0.02.tar.bz2 1146162786 M * Bertl (updated to *_bcaps 1146162820 N * BobR_zZ BobR 1146162832 M * Bertl good morning BobR! 1146162860 M * BobR Good morning! 1146162861 M * Hollow hey Bertl! 1146162875 M * Bertl hey Hollow! 1146162905 M * Hollow where can i find the three patches you reffered to? 1146162911 M * Hollow for the lag issue 1146162978 M * daniel_hozac Bertl: looks sane. 1146162978 M * Bertl http://vserver.13thfloor.at/Experimental/HOLLOW/ 1146162996 M * Bertl Hollow: please get the test script with the kernel compile 1146163028 M * Bertl Hollow: and have that run with the following setups, while you (as expert) judge the lag 1146163044 M * Bertl 1) vanilla, 2.6.16.8/11 1146163059 M * Bertl 2) vs2.1.1 unmodified 1146163073 M * Bertl 3) vs2.1.1 pathc-hollo01 reverted 1146163089 M * Bertl 4) vs2.1.1 only patch-hollow02 reverted 1146163096 M * Bertl 5) vs2.1.1 only patch-hollow03 reverted 1146163115 M * Bertl I'd suspect that if anything, then the hollow01 should change that 1146163121 M * Hollow ok, and what was -j99 about? 1146163128 M * Bertl please keep the timing results of the kernel build too 1146163133 M * Bertl sec, looking for the script 1146163133 M * Hollow i.e.? 1146163226 M * Bertl my network is awful today ... is a new virus out there? 1146163278 M * daniel_hozac http://vserver.13thfloor.at/Stuff/PERF/test.sh ? 1146163290 M * Bertl yep, tx, that one 1146163313 M * Bertl Hollow: adjust it to your setup, but do not skip steps like the unpack or delay 1146163357 M * Hollow ok, will do 1146163545 J * ray6 ~ray@vh5.gcsc2.ray.net 1146163550 M * ray6 reee 1146163662 Q * Hollow Quit: Konversation terminated! 1146164002 M * Bertl daniel_hozac: okay, could you give it a spin somewhere? 1146164010 M * Bertl hey ray6! 1146164045 M * ray6 Bertl: yeah, I've got a somehow instable connection here, throws me out every two month :) 1146164091 M * Bertl daniel_hozac: might be interesting to check if that is sufficient for bind too 1146164119 M * Bertl fixing up my test env now ... 1146164138 M * daniel_hozac Bertl: hmm, is it complete now? 1146164181 M * Bertl well, except for bugs, I'd say yes, why? 1146164245 M * Bertl ah, I know what you mean 1146164253 M * Bertl no, it doesn't cover the actual checks 1146164269 M * Bertl but for the bcap mask it should be finished 1146164287 M * daniel_hozac i thought i had missed something :) 1146164306 M * daniel_hozac i'll give it a spin. 1146164348 J * Hollow ~hollow@home.xnull.de 1146164364 M * Hollow hollow01 seems to absolutely fix it 1146164375 M * Hollow but if you want i'll let the script run completely 1146164490 J * brc bruce@20150248094.user.veloxzone.com.br 1146164570 M * Bertl Hollow: well, hmm .. it basically gives the guest a too high priority 1146164588 M * Bertl Hollow: but I suspected that this would cause the difference 1146164631 M * Bertl but I guess it is a bug, checking now 1146164644 M * Bertl i.e. it's not the final fix ... 1146164656 M * Hollow ok 1146164723 Q * Hollow Remote host closed the connection 1146164892 M * Bertl here is the fix for that: 1146164893 M * Bertl http://vserver.13thfloor.at/Experimental/delta-prio-fix01.diff 1146164946 J * Hollow ~hollow@home.xnull.de 1146165092 M * Bertl http://vserver.13thfloor.at/Experimental/delta-prio-fix01.diff 1146165143 M * Hollow will try in a second 1146165157 M * Bertl np, ontop of an rc17 kernel 1146165173 M * Bertl daniel_hozac: any new fixes to util-vserver ? 1146165209 M * Hollow Bertl: is there already a final fix for the cap thing? 1146165217 M * Bertl ongoing ... 1146165218 M * daniel_hozac http://daniel.hozac.com/vserver/util-vserver/ not since the start-vservers fix. 1146165220 M * Hollow ok 1146165310 M * Bertl daniel_hozac: quite something, not bad :) 1146165373 M * daniel_hozac most of the new ones are from the Debian/Gentoo packages. 1146165374 M * Hollow Bertl: you may find some more here: http://dev.croup.de/proj/gentoo-vps/browser/util-vserver/patches 1146165392 M * Bertl okay, tx 1146165418 M * Hollow (but probably only the gentoo specific ones) 1146165432 M * Hollow daniles repo is quite complete ;) 1146165437 M * Hollow *daniels 1146165438 M * daniel_hozac and some which i didn't really feel comfortable importing :) 1146165441 M * Hollow heh 1146165452 M * daniel_hozac (remove-traditional-syscall, clone) 1146165462 M * Hollow daniel_hozac: i also removed some useless ones you pointed out in the latest revision 1146165487 M * Hollow daniel_hozac: the syscall thing is for dietlibc on hardened gcc with PIE and such IIRC 1146165498 M * Hollow ssp and what not 1146165509 M * Hollow evil stuff anyway ;) 1146165521 M * daniel_hozac FC uses all of that. 1146165536 M * Hollow hm, maybe ~IIRC 1146165537 M * Hollow :P 1146165540 M * daniel_hozac i don't see why it would enable the traditional syscall. 1146165555 M * Hollow phreak`` should know the details about that patch 1146165568 M * daniel_hozac it should choose the alternative ones... 1146165769 M * Hollow the vprocunhide fix is obsolete as well 1146165997 J * phreak``_ ~phreak``@styx.xnull.de 1146166004 A * phreak``_ stabs phreak`` 1146166030 M * Bertl how cruel :) 1146166045 M * Hollow ah.. the schizophrenic 1146166048 M * phreak``_ daniel_hozac: Hollow is right .. on .209 Bertl helped me figuring out why the utils somehow failed to compile with hardened 1146166052 M * the_hydra np, that's just Smith kills another SMith ;) 1146166057 M * phreak``_ Hollow: nope, can't login to the other host :P 1146166108 M * daniel_hozac phreak``_: and why weren't the alternative syscalls chosen? 1146166153 M * phreak``_ daniel_hozac: ask Bertl :) I just sponsored the machine (gentoo hardened) and he did the work 1146166189 M * Hollow ah yes.. i remember 1146166212 M * daniel_hozac interesting. 1146166215 J * shedi ~siggi@inferno.lhi.is 1146166217 M * Bertl IIRC, had something to do with the pic/nonpic code 1146166241 M * phreak``_ and I don't have a single clue anymore :) 1146166256 M * Bertl but it works, yes? 1146166269 M * phreak``_ Bertl: yeah :) it works :) 1146166276 M * Bertl good :) 1146166276 M * Hollow if diet would work with hardened.. *ahem*.. 1146166282 M * Hollow phreak``_: or does it now? 1146166290 M * phreak``_ Hollow: not yet .. 1146166292 Q * phreak`` Ping timeout: 480 seconds 1146166305 M * phreak``_ hopefully I'll get to it when I'm back from my holidays ;) 1146166324 M * Hollow ok, but wasn't the fix trivial like filter_flags -nopie? 1146166341 M * phreak``_ Hollow: look at the dietlibc-0.29-r1 ebuild ;) 1146166361 M * Hollow ah yes 1146166366 M * Hollow so, what's missing? 1146166421 M * phreak``_ nothing .. but solar mentioned something about everything else (afair he's running a complete sys with diet) is compiling/running with hardened .. 1146166443 M * Hollow hm.. 1146166448 M * Bertl everything else, but? 1146166455 M * phreak``_ Bertl: util-vserver :) 1146166460 M * Bertl aha, why? 1146166484 M * Bertl thought you said: yeah :) it works :) 1146166529 M * phreak``_ Bertl: yeah, when you filter the PIE stuff while compiling dietlibc .. then it works :) but if you don't then util-vserver is breaking on compile time 1146166534 M * the_hydra gtg bert 1146166536 M * the_hydra cu later 1146166549 M * Bertl cya the_hydra! 1146166557 M * phreak``_ Bertl: see http://bugs.gentoo.org/show_bug.cgi?id=114796 1146166569 M * Bertl phreak``_: is dietlibc able to do pie at all? 1146166575 Q * the_hydra Quit: 1146166577 M * phreak``_ Bertl: afair yes .. 1146166644 M * Bertl okay, what is compiled with dietlibc and pie except util-vserver? 1146166662 M * Bertl (in gentoo hardened that is :) 1146166684 M * phreak``_ Bertl: well if you don't use diet as libc, then nothing ;) 1146166702 M * Bertl ah, but that is/was done, yes? 1146166708 M * daniel_hozac hmm, how do you detect if something is PIE? 1146166720 M * Bertl should be an elf header 1146166771 M * Hollow i don't think these people use dietlibc as their libc 1146166775 M * phreak``_ but if you in fact use it as libc, then *everything* else (everything on that list http://phpfi.com/115081) should work 1146166796 M * Hollow is 114796 really still valid? 1146166839 M * daniel_hozac seems like it should be assigned to dietlibc. 1146166863 M * Hollow the bug? we maintain it :) 1146166896 M * daniel_hozac oh, heh. 1146166902 M * Hollow noone else wants to :P 1146166903 M * phreak``_ Hollow: If we're gonna to put the filter-flags into the other ebuilds, that 114796 is a none issue, but if we're going to try to fix it proper (for real hopefully) then its still an issue 1146166919 M * Hollow ok, then it is still an issue ;) 1146166982 Q * phreak``_ Quit: leaving 1146167003 J * phreak`` ~phreak``@140.211.166.183 1146167039 M * daniel_hozac i'm pretty sure Fedora is all PIE. i'm not sure how to make sure though... 1146167048 Q * Viper0482 Remote host closed the connection 1146167203 M * Bertl phreak``: do you have a PIE executable for me? 1146167205 J * phreak``_ ~phreak``@140.211.166.183 1146167226 M * phreak`` erm 1146167240 M * Bertl one you definitely know it is PIE 1146167271 M * phreak`` erm, didn't PIE got into gcc-4.1.0 ? 1146167291 M * Bertl just a binary, upload it anywhere 1146167302 M * Bertl I want to check something on it 1146167343 M * phreak`` sure 1146167414 M * phreak`` Bertl: http://dev.gentoo.org/~phreak/bash 1146167512 M * Bertl doesn't look like PIE to me 1146167520 M * Bertl readelf says: Entry point address: 0x805bd10 1146167535 M * Bertl but maybe I'm wrong here 1146167573 M * Bertl daniel_hozac: http://vserver.13thfloor.at/Experimental/delta-vxcapable-fix01.diff 1146167591 M * Bertl this should fix the 'original' issue, given that the mbcap changes work as expected 1146167609 Q * bonbons Read error: Connection reset by peer 1146167623 J * bonbons ~bonbons@83.222.39.134 1146167741 M * Bertl but I keep getting strange behaviour here, guess there is a bug in the mcaps stuff somewhere 1146167754 N * BobR BobR_oO 1146167756 M * Bertl checking now ... 1146167774 M * daniel_hozac hmm, won't the unmodified capable give the guest all caps in those checks? 1146167811 M * Bertl the capable is already restricted 1146167844 M * Bertl or it is supposed to be 1146167912 M * daniel_hozac ah, right, i missed that hunk. 1146167975 Q * mire Quit: Leaving 1146168304 M * harry Bertl: there? 1146168664 P * glen_ 1146170022 Q * lilalinux Remote host closed the connection 1146170132 Q * phreak``_ Quit: leaving 1146170383 Q * _mountie_ Remote host closed the connection 1146170561 J * mountie ~mountie@CPEdeaddeaddead-CM000a739acaa4.cpe.net.cable.rogers.com 1146171181 J * Dr4g Dr4g@82-40-40-135.cable.ubr06.uddi.blueyonder.co.uk 1146171279 Q * mountie Remote host closed the connection 1146171324 J * mire ~mire@137-167-222-85.COOL.ADSL.VLine.Verat.NET 1146171468 J * mountie ~mountie@CPEdeaddeaddead-CM000a739acaa4.cpe.net.cable.rogers.com 1146171700 Q * mire Quit: Leaving 1146171885 Q * Dr4g Quit: Open Source Development :: http://dynamichell.org 1146172044 Q * mountie Remote host closed the connection 1146172093 J * Aiken ~james@tooax7-093.dialup.optusnet.com.au 1146172394 J * DEac- ~deac@xdsl-84-44-145-55.netcologne.de 1146172400 M * DEac- moin 1146172426 M * Bertl ah, network is really great today ... back now 1146172431 M * DEac- i get following message: chbind: kernel does not provide network virtualization 1146172437 M * DEac- disable legacy networking kernel api is disabled 1146172464 M * Bertl testme.sh output? 1146172474 M * daniel_hozac did you also enable the legacy version option? 1146172485 M * tokkee DEac-: Check your Kernel config and uncheck "disable legacy networking kernel API" ;-) 1146172486 M * DEac- i read, that this must be disabled, then i don't get this mesage, but i get it. what can be wrong too? 1146172503 M * DEac- tokkee: it is disabled 1146172539 M * Bertl DEac-: http://vserver.13thfloor.at/Stuff/SCRIPT/testfs.sh run it on the host and upload the output soemwhere 1146172543 M * Bertl *somewhere 1146172551 M * daniel_hozac hmm, testfs? 1146172559 M * Bertl *argh* 1146172564 M * Bertl http://vserver.13thfloor.at/Stuff/SCRIPT/testme.sh 1146172570 M * Bertl daniel_hozac: tx! 1146172593 M * Bertl harry: yes 1146172600 M * harry aha 1146172604 M * DEac- Bertl: you mean me or daniel_hozac ? 1146172611 M * tokkee DEac-: Disable is disabled? ;-) I'm not sure what you mean ;-) 1146172615 M * harry i want to get to work again... 1146172620 A * harry has a 2.6.16.11 kernel 1146172624 M * harry i have 2.1.9 grsec 1146172625 M * daniel_hozac DEac-: you. 1146172629 M * DEac- tokkee: there's no [*] *g* 1146172633 M * harry which is the best stable release of vserver? 1146172638 M * DEac- tokkee: there's a [ ] 1146172643 M * tokkee DEac-: Ah okay ;-) 1146172664 Q * bonbons Quit: Leaving 1146172667 M * daniel_hozac harry: 2.0.2-rc17, but you might want to wait a bit. 1146172667 M * Bertl harry: probably the upcoming 2.0.2-rc18 1146172677 M * daniel_hozac for that :) 1146172698 M * tokkee DEac-: Just run testme.sh as suggested by Bertl - he and daniel_hozac can probably provide some better help ;-) 1146172726 M * harry aha 1146172730 M * harry so not the 2.1.0 ? 1146172735 M * daniel_hozac harry: that's devel.... 1146172748 M * DEac- http://rafb.net/paste/results/9RvY7v13.html 1146172752 M * Bertl tx 1146172752 A * harry running production servers in devel vserver now... hmm... :) 1146172754 M * daniel_hozac harry: and that would be 2.1.1-rc17/18. 1146172786 M * Bertl harry: devel is fine, but you explicitely asked for the stable branch 1146172787 M * derjohn rc18 close? 1146172809 M * harry Bertl: for production... i would preferably use stable pathes :) 1146172820 M * daniel_hozac DEac-: you need to disable the legacy version option. 1146172850 M * DEac- show a legacy version id? 1146172854 M * daniel_hozac yes. 1146172855 Q * Hondo Ping timeout: 480 seconds 1146172862 M * Bertl daniel_hozac: it's not showing a legacy version? 1146172869 M * daniel_hozac DEac-: or rebuild the utils with all the older APIs enabled. 1146172879 M * daniel_hozac Bertl: /proc/virtual/info doesn't, just the syscall. 1146172885 M * DEac- i think, i rebuild the kernel ;) 1146172893 M * harry when will there be a 2.0.2 release? 1146172897 M * harry eta ? 1146172899 M * daniel_hozac harry: RSN ;) 1146172918 M * Bertl daniel_hozac: aha, interesting, sounds like a bug then 1146172932 M * derjohn harry, for linux vserver that doesnt really count ... read devel as "featurerich stabel" and exp as "progressive" :) 1146172979 M * daniel_hozac Bertl: although, being able to get the real version ID somehow isn't a terrible idea... 1146173000 M * daniel_hozac and nothing should rely on /proc/virtual/info :) 1146173017 M * doener Bertl: hm, yeah, we had the same issue a few days ago... that was when I failed to bent my head around the compat/legacy/v13 stuff ;) 1146173035 M * Bertl maybe we should show both there then 1146173048 M * daniel_hozac well, vserver-info does show the legacy version. 1146173058 M * daniel_hozac or do you mean in testme? 1146173066 M * Bertl testme 1146173084 M * daniel_hozac testme could just decode the VCIConfig bit. 1146173093 M * daniel_hozac err, s/Config/Kernel/ 1146173111 M * Bertl yes 1146173111 M * daniel_hozac (which it should do either way, no?) 1146173161 M * Bertl did you get around testing the fixes? 1146173179 M * daniel_hozac not yet, i'm still installing my test box. 1146173196 M * Bertl I'm observing very strange things here on my test setup 1146173201 M * daniel_hozac (i've been putting that off for too long anyway) 1146173208 M * daniel_hozac hmm? 1146173214 M * Bertl I'm definitely inside a chbind/chcontext jail 1146173224 M * Bertl cat /proc/self/ninfo 1146173224 M * Bertl NID: 49155 1146173224 M * Bertl V4Root[0]: 192.168.0.2/255.255.255.0 1146173224 M * Bertl V4Root[bcast]: 10.255.255.255 1146173233 M * Bertl cat /proc/self/vinfo 1146173233 M * Bertl XID: 1001 1146173233 M * Bertl BCaps: 00000000346c04ff 1146173255 M * Bertl but I can see all network devices with ifconfig and ip addr ls 1146173276 M * Bertl (logged on via ssh, so everything should be fine) 1146173297 M * doener hm, hide_netif turned off? 1146173314 M * Bertl jeah, but why? tools are latest (0.30.210) 1146173324 M * Bertl I have to admit that it is a legacy guest 1146173326 M * daniel_hozac nothing in flags? 1146173341 M * Bertl is this broken somehow? 1146173372 M * daniel_hozac i wouldn't be surprised, the legacy configuration enables an entirely different codepath. 1146173384 M * daniel_hozac different utils altogether. 1146173387 M * doener did legacy configs know about hide_netif at all? 1146173394 M * daniel_hozac no. 1146173399 M * Bertl no, but it was 'the default' 1146173438 M * daniel_hozac is it the default in the kernel? 1146173446 M * Bertl maybe we should apply certain default flags on the kernel side 1146173499 M * Bertl so, what you are basically saying is that recent tools require a legacy kernel interface to start legacy guests, yes? 1146173519 M * Bertl and that they also _use_ the legacy interface to start them, right? 1146173553 M * daniel_hozac legacy guests don't use vcontext/vattribute/etc., but chcontext-compat and related legacy components. 1146173563 M * doener they actually use the legacy tools 1146173586 M * Bertl okay, so we could fix that up at kernel level, right? 1146173610 M * daniel_hozac or see it as incentive to get everyone to upgrade to the new configuration style ;) 1146173629 M * Bertl well, yes, but we don't want to break legacy if it is compiled in 1146173643 M * Bertl it won't work with legacy disabled in the kernel in this case anyway 1146173699 M * daniel_hozac hmm, or maybe i misread this. does vserver --debug legacy start show the "usual" command? 1146173717 J * mire ~mire@53-167-222-85.COOL.ADSL.VLine.Verat.NET 1146173752 M * daniel_hozac ah, nevermind that. 1146173753 M * Bertl wb mire! 1146173756 M * daniel_hozac i was looking at the wrong script. 1146173836 M * Bertl I see this on startup: 1146173837 M * Bertl http://vserver.13thfloor.at/Experimental/legacy_startup.info 1146173838 J * mountie ~mountie@CPEdeaddeaddead-CM000a739acaa4.cpe.net.cable.rogers.com 1146173843 M * Bertl wb mountie! 1146173981 M * daniel_hozac yeah, legacy guests use nice chbind chcontext-compat save_s_context capchroot to enter it. 1146174014 J * VAndreas ~Hossa@212.110.98.7 1146174057 M * Bertl welcome VAndreas! 1146175271 M * mugwump What do I need to do so that chbind may work? Or is there a newer way? 1146175289 M * Bertl hmm? chbind should work 1146175297 M * mugwump chmagnus:/usr/lib/util-vserver# chcontext chbind --ip 192.168.254.5 /bin/sh 1146175297 M * mugwump New security context is 49209 1146175297 M * mugwump chbind: vc_net_create(): Operation not permitted 1146175340 M * Bertl you are creating a new security context 1146175349 M * Bertl inside the context, the chbind is not permittet 1146175359 M * Bertl chbind --ip 192.168.254.5 chcontext 1146175377 M * Bertl but please, don't use dynamic contexts except for testing 1146175393 M * mugwump actually within this script they're not dynamic per se 1146175401 M * mugwump the calling script generates the XID 1146175406 M * Bertl okay 1146175425 M * mugwump Hopefully we'll get vserver xxx build -m fai at the end of this... 1146175749 Q * VAndreas Ping timeout: 480 seconds 1146175750 M * mugwump is there a way to put vattribute in that command sequence, or does it have to be external? 1146175767 M * Bertl usually you have a setp sequence 1146175770 M * Bertl *setup 1146175788 M * Bertl i.e. you start with a vcontext creation, then set the properties, then exit setup mode 1146175796 M * mugwump right, do the userland tools expose this? 1146175815 Q * coocoon3 Quit: KVIrc 3.2.0 'Realia' 1146175822 M * Bertl yes, just look at the vserver - start --debug stuff 1146175828 Q * ZLinux Ping timeout: 481 seconds 1146175855 M * mugwump thanks 1146175896 J * ZLinux ~Zaki@212.118.98.213 1146175931 M * mugwump it's funny dealing with the 'interesting' assumptions fai makes :) 1146175971 M * mugwump seems to want to mount -t tmpfs with reckless and wanton abandon 1146176026 J * VAndreas ~Hossa@212.110.98.7 1146176072 M * mugwump does secure_mount let you mount anything other than bind mounts? 1146176113 M * Bertl yes, actually it allows you to do much more 1146176155 M * mugwump is there a good summary anywhere? 1146176163 M * Bertl not yet 1146176186 M * mugwump ok. I'm guessing it lets you network mount and mount devices you have access to, but with a selection of secure mount flags (like no_dev) 1146176198 M * mugwump is that a good guess? :) 1146176212 M * Bertl yes, but network mounts usually require the binary mount capability too 1146176225 M * mugwump right 1146176353 M * DEac- this message i don't find in faq: vcontext: open("/dev/null"): Permission denied 1146176377 M * Bertl hmm, yeah, looks a little unusual, when do you get it? 1146176394 M * DEac- if i try to start a vserver 1146176424 M * Bertl okay, how did you get the guest? 1146176442 M * Bertl (i.e. was it installed by the tools, or did you copy some existing installation?) 1146176445 M * DEac- it's a gentoo-stage3 1146176467 M * DEac- http://www.gentoo.org/doc/en/vserver-howto.xml 3.1 1146176469 M * Bertl does it contain a /dev dir with some (approximately 8) devices? 1146176488 M * DEac- yes, all devs exists 1146176495 M * Bertl all? 1146176511 M * DEac- nearly all possible devs 1146176521 M * Bertl inside the guest? 1146176524 M * DEac- yes 1146176535 M * Bertl Hollow: is that a bug? 1146176554 M * DEac- i made it like in this howto bellow 1146176555 M * Bertl DEac-: there is a 'sepcial' vserver guest layout, did you use that? 1146176580 M * DEac- i don't know 1146176616 M * Bertl let's wait a moment, either Hollow or phreak`` should know 1146176630 M * DEac- ok 1146176663 M * DEac- oh, i see, an mistake, i made, i try an other way 1146176769 M * DEac- ah, i think, i've found the porblem. in the howto there's a link, which i haven't followed 1146176783 M * Bertl ah, okay, then let's try that one first ... 1146177769 M * DEac- the same 1146177786 M * Bertl okay, let's try to start it with: 1146177793 M * Bertl vserver start --debug 1146177800 M * Bertl and uplaod the output somewhere 1146177873 M * DEac- vserver ... start: unknown option '--debug' 1146177933 M * daniel_hozac vserver --debug start 1146177941 M * DEac- oh, while the install there are some errors, i see 1146177942 M * Bertl ah, yes sorry ... 1146178026 M * DEac- i think, i should solve this errors first 1146178067 M * DEac- http://rafb.net/paste/results/KFiHEb96.html 1146178122 Q * mountie Quit: LUNCK! 1146178183 M * mugwump hmm, I'm getting lots of '/dev/null: Permission denied' messages 1146178189 M * mugwump but /dev/null is crw-rw-rw- 1 root root 1, 3 Apr 28 10:12 /dev/null 1146178195 M * DEac- mugwump: i too 1146178235 M * mugwump it's on tmpfs 1146178272 M * daniel_hozac mugwump: mounted nodev? 1146178295 M * DEac- ah, this can be the problem 1146178297 M * mugwump just checking 1146178311 M * mugwump it's mounted from outside the vserver, but inside the vnamespace 1146178331 J * mountie ~mountie@CPEdeaddeaddead-CM000a739acaa4.cpe.net.cable.rogers.com 1146178332 M * DEac- my fs is mounted with nodev 1146178335 M * daniel_hozac what is fai? 1146178361 M * mugwump Debian Fully Automatic Installation 1146178375 M * daniel_hozac hmm, how does that differ from debootstrap? 1146178376 M * mugwump bah, it is nodev 1146178390 M * mugwump it uses debootstrap, then finishes the job 1146178396 M * daniel_hozac ah, ok. 1146178403 M * daniel_hozac the base-config stuff? 1146178406 M * mugwump it's just like Solaris Jumpstart 1146178410 M * Bertl DEac-: ah, that explains it ... 1146178414 M * mugwump you can add profiles etc 1146178430 M * daniel_hozac cool. 1146178484 M * daniel_hozac DEac-: are you sure that stage3 is complete? 1146178526 M * DEac- daniel_hozac: what's the meaning of complete? 1146178608 M * DEac- ok, it runs 1146179283 M * mugwump /var/lib/vservers/fai/usr/lib/fai/nfsroot/usr/sbin/fai # what a path 1146179319 M * daniel_hozac hehe, yeah. 1146179331 M * daniel_hozac my builders get similar ones. 1146180400 M * DEac- my guest-system runs :) 1146180406 M * Bertl excellent! 1146180419 M * DEac- now i can install my software, i need 1146180485 M * DEac- cu 1146180503 M * Bertl cya 1146180681 M * Bertl daniel_hozac: okay, looks good here so far, any issues on your side? 1146180751 M * daniel_hozac i'm still working on the reinstall, unfortunately. 1146180765 M * Bertl ah, okay, will wait a little longer then 1146180788 M * Bertl Hollow: any results with the fix? 1146180955 Q * cehteh Ping timeout: 480 seconds 1146181125 J * jkl eric@c-71-56-216-223.hsd1.co.comcast.net 1146181132 M * Bertl welcome jkl! 1146181172 M * jkl hey bertl 1146181178 M * jkl it's always nice to see you! 1146181225 M * Bertl the pleasure is mine! 1146181347 M * jkl hehe 1146181364 A * jkl can't wait for school to be over so he can play with vservers again 1146181404 M * Bertl daniel_hozac: what do you think of this addition to stable? http://vserver.13thfloor.at/Experimental/delta-priobias-feat01.diff 1146181461 M * daniel_hozac i don't feel like i know enough about the scheduler things to comment. 1146181575 M * daniel_hozac jkl: why wait? it's always nice to have something to do during breaks :) 1146181583 M * daniel_hozac (and during boring classes ;)) 1146181662 M * Bertl daniel_hozac: nevertheless maybe we should go the conservative way regarding the vc_ccaps() and check for the euid on stable ... your opinion? 1146181687 M * daniel_hozac yeah, this is a rather big change. 1146181701 M * jkl daniel_hozac: i've got a week and a half left, and i'm failing 3 classes 1146181702 M * daniel_hozac i guess we can add it for 2.0.3. 1146181711 M * jkl because i spend too much time playing with vserver :) 1146181736 M * daniel_hozac lol 1146181749 M * jkl oh well 1146181929 Q * DEac- Ping timeout: 480 seconds 1146182249 Q * matta Ping timeout: 480 seconds