1295398366 Q * melbar Remote host closed the connection
1295400444 M * Bertl off to bed now ... have a good one everyone!
1295400448 N * Bertl Bertl_zZ
1295401009 Q * fzylogic Quit: DreamHost Web Hosting http://www.dreamhost.com
1295418280 Q * manana Remote host closed the connection
1295423105 J * petzsch ~markus@dslb-088-075-175-221.pools.arcor-ip.net
1295424868 J * thierryp ~thierry@home.parmentelat.net
1295426674 Q * petzsch Quit: Leaving.
1295426676 J * manana ~mayday090@84.17.25.149
1295429208 Q * jeroen_ Quit: Ex-Chat
1295429483 J * jeroen_ ~jeroen@imap.powerinternet.eu
1295429516 J * ktwilight__ ~keliew@91.176.75.51
1295429946 Q * ktwilight_ Ping timeout: 480 seconds
1295430329 J * ktwilight_ ~keliew@91.176.109.10
1295430329 Q * ktwilight__ Read error: Connection reset by peer
1295430455 J * barismetin ~barismeti@zanzibar.inria.fr
1295431182 J * BenG ~bengreen@cpc2-aztw22-2-0-cust83.aztw.cable.virginmedia.com
1295431832 Q * BenG Quit: I Leave
1295431872 Q * thierryp Remote host closed the connection
1295434034 J * melbar ~kiko@187.58.98.230
1295436370 Q * infowolfe Ping timeout: 480 seconds
1295436453 J * Weihnachtsmann ~YOSEF@ip-95-223-36-117.unitymediagroup.de
1295436491 M * Weihnachtsmann hi i have a problem with the centos image on the file ftp space.. i will install the image, and than i will connect with SSH - Server say: Login? - root - connection close..
1295436606 Q * Romster Remote host closed the connection
1295436625 J * Romster ~romster@202.168.100.149.dynamic.rev.eftel.com
1295437144 Q * Piet Ping timeout: 480 seconds
1295437733 J * Piet ~Piet__@28IAAB6F2.tor-irc.dnsbl.oftc.net
1295438362 M * cehteh Weihnachtsmann: possibly disallowing remote root logings .. see man sshd_config and friends (and quite unrelated to vserver)
1295438424 Q * manana Quit: Terminated
1295439287 J * petzsch ~markus@dslb-088-075-175-221.pools.arcor-ip.net
1295439347 J * thierryp ~thierry@home.parmentelat.net
1295439476 P * petzsch 
1295439957 J * petzsch ~markus@dslb-088-075-175-221.pools.arcor-ip.net
1295440053 Q * petzsch 
1295440134 J * petzsch ~markus@dslb-088-075-175-221.pools.arcor-ip.net
1295442548 N * Bertl_zZ Bertl_oO
1295442869 M * pmjdebruijn Weihnachtsmann: did you set a root password in the vserver?
1295443244 Q * thierryp Remote host closed the connection
1295444534 Q * petzsch Read error: Connection reset by peer
1295444760 N * ensc Guest807
1295444770 J * ensc ~irc-ensc@p5DF2BC7A.dip.t-dialin.net
1295445168 Q * Guest807 Ping timeout: 480 seconds
1295445231 Q * Piet Ping timeout: 480 seconds
1295445785 J * Piet ~Piet__@28IAAB6H2.tor-irc.dnsbl.oftc.net
1295445975 J * petzsch ~markus@dslb-088-075-175-221.pools.arcor-ip.net
1295447107 M * Weihnachtsmann yes 
1295447109 M * Weihnachtsmann i have
1295447688 Q * ruskie Remote host closed the connection
1295449028 Q * nox Quit: If the world is without walls and fences -- who needs Windows and Gates ?
1295449134 J * nox ~nox@host.noxlux.de
1295449836 J * ruskie ruskie@ruskie.user.oftc.net
1295449851 J * alpha_one_x86 ~kvirc@95.17.31.41
1295449877 M * alpha_one_x86 Hello, who can update vserver + grsec patch?
1295449913 M * alpha_one_x86 iptable into guest is planned?
1295450137 M * melbar I'm just a user and can't speak for the project, but I believe this is pretty hard to implement without compromising isolation among guests
1295450142 M * melbar and between guest and hosts
1295450283 M * melbar and the host, I mean
1295450291 M * alpha_one_x86 no, simply and -d [guest ip] where no ip is given for the input firewall
1295450329 M * melbar afaik, guests can have more than just one IP
1295450344 M * alpha_one_x86 It's to solve scalability problem, I move guest between multiple host, and I need never forget the firewall into the host
1295450365 M * melbar and there are nat targets and other stuff
1295450375 M * melbar just limiting -d might not provide enough isolation
1295450377 M * alpha_one_x86 yes I know, then -s [ip1] -o -s [ip2], ... iptable support multiple ip
1295450421 M * melbar you could put your firewalling setup in the prepre-start.d
1295450423 M * alpha_one_x86 for nat it change nothing, the option can be disabled/enabled by kernel config
1295450453 M * melbar at least, that's what I've been doing and it's been working fine for me
1295450461 M * alpha_one_x86 I can't too move vserver config file (context colision)
1295450489 M * alpha_one_x86 and for antibrute force like fail2ban need iptables enabled
1295450524 M * melbar it takes a little programming, but you can easily find and empty context number and dump it into /etc/vserver/vserver/context
1295450540 M * alpha_one_x86 the isolation by -d into firewall where guest have then own firewall (in kernel isoled by -d) is suffisent to me
1295450559 M * melbar you can get it today by setting up prepre-start.d scripts
1295450574 M * alpha_one_x86 I have some limitation in my compagnie which do that's I can't to do it
1295450594 M * alpha_one_x86 all should be into the guest
1295450611 M * alpha_one_x86 fail2ban add/reomve iptable rules dynamicly
1295450639 M * melbar can you do that from within the guest? (I never tried myself)
1295450647 M * melbar I think this needs some capabilities
1295450671 M * melbar and if you have those capabilities, I believe you can change iptables rules from within the guest
1295450704 M * melbar at the expense of being able to screw other guests' security if you mess up
1295450774 M * alpha_one_x86 actualy: iptable into the guest give: operation not permited
1295450789 M * alpha_one_x86 it's my problem
1295450799 M * melbar try setting CAP_SYS_ADMIN or CAP_NET_ADMIN or something like this
1295450832 M * melbar in your guest setup
1295450871 M * alpha_one_x86 it's unknow key for me
1295450922 M * alpha_one_x86 iptables work and guest, and I wish that's the guest see only thier firewall
1295450966 M * alpha_one_x86 it's isolation, is better than actually (filter into host or leave all open)
1295451262 M * melbar if you do a vattribute --xid yourguest --set --bcap CAP_NET_ADMIN
1295451275 M * melbar you'll be able to change iptables rules from within the guest
1295451298 M * melbar (the iptables userspace utilities may complain about not being able to load modules but it'll work)
1295451324 M * melbar however, you'll be able to change anything, including messing up rules that have nothing to do with your guest
1295451351 M * melbar the vattribute must be done on the host. you can't do it from within the guest.
1295451377 M * melbar if you can't access the host, then I don't see how it could be done
1295451426 M * melbar CAP_NET_ADMIN also allows you to do other potentially nasty things, like changing the routing tables, etc.
1295451441 M * melbar it's a lot of power for a guest vserver to have
1295451495 M * melbar afaik, there is currenly no way to limit those powers to your guest's ip
1295451585 N * melbar melbar_oO
1295451831 M * nox melbar_oO: put every guest into a chain and write a simple webfrondend which only allows to set rules in that chain good be a simple workaround
1295451845 M * nox front*
1295451871 M * nox argh s/good/could/
1295453093 J * thierryp ~thierry@82.226.190.44
1295453127 J * dna ~dna@dslb-094-222-120-073.pools.arcor-ip.net
1295453377 M * alpha_one_x86 I can't because it's into multiple guest/host
1295453493 M * daniel_hozac sure you can.
1295454360 Q * Romster Ping timeout: 480 seconds
1295454379 N * melbar_oO melbar
1295454413 M * melbar daniel: do you mean we can limit iptables powers in guests?
1295454680 J * Romster ~romster@202.168.100.149.dynamic.rev.eftel.com
1295456009 J * oli71 579319cc@ircip1.mibbit.com
1295456028 M * oli71 good evening
1295456035 M * oli71 I have a routing question
1295456107 M * oli71 the setup we got is that there is one vserver that works as proxy that takes the incoming requests and by using mod_proxy forwards them to other vservers
1295456119 M * oli71 so one website gets routed to vserver1 the next to vserver2
1295456158 M * oli71 now the tricky part - I need to  access from vserver2 vserver1 using the public address. it works with the internal one but I need the dns name 
1295456178 M * oli71 because otherwise the solution does not work ... anyone done something like this before ?
1295456407 M * daniel_hozac why doesn't it work?
1295456451 M * arekm bah, CAP_CONTEXT conflicts with CAP_SYSLOG in .28+
1295456454 M * arekm 38+
1295456626 M * daniel_hozac hmm?
1295456654 M * daniel_hozac IIRC we moved CAP_CONTEXT to 63 in recent kernels.
1295456758 M * arekm oh, great (/me separately patches linux-libc-headers package)
1295457418 M * melbar oil71: it's kind of a kludge, but if you're using names, why don't you set up a static name <=> ip mapping in your /etc/hosts in your vserver2 (if I understood you right)
1295457428 Q * barismetin Remote host closed the connection
1295457609 Q * melbar Remote host closed the connection
1295457689 M * Weihnachtsmann where is the source from centos? 
1295457736 Q * Romster Ping timeout: 480 seconds
1295457861 Q * Piet Ping timeout: 480 seconds
1295458024 J * Romster ~romster@202.168.100.149.dynamic.rev.eftel.com
1295458410 J * Piet ~Piet__@28IAAB6MV.tor-irc.dnsbl.oftc.net
1295458424 M * daniel_hozac Weihnachtsmann: hmm?
1295458737 Q * thierryp Remote host closed the connection
1295458826 J * bonbons ~bonbons@2001:960:7ab:0:2c0:9fff:fe2d:39d
1295459009 Q * Romster Ping timeout: 480 seconds
1295459312 J * melbar ~kiko@187.78.38.111
1295459461 J * hijacker_ ~hijacker@87-126-142-51.btc-net.bg
1295459717 M * oli71 melbar: I figured it out ... put the name in  the hosts file 
1295459727 M * oli71 and mapped it to the internal ip 
1295459744 M * oli71 so the internal server communicate but the externals use the same link and everthing works :-)
1295459764 M * melbar precisely what I said
1295459774 M * melbar kludgy, but works
1295459792 M * melbar you'll have to remember to change this if you ever move the site
1295459797 M * melbar to another name
1295460518 J * Romster ~romster@202.168.100.149.dynamic.rev.eftel.com
1295460690 J * infowolfe ~infowolfe@c-174-52-21-172.hsd1.ut.comcast.net
1295460804 M * Bertl_oO nap attack ... bbl
1295460813 N * Bertl_oO Bertl_zZ
1295461489 Q * Romster Ping timeout: 480 seconds
1295461639 J * Romster ~romster@202.168.100.149.dynamic.rev.eftel.com
1295462409 Q * hijacker_ Read error: Connection timed out
1295462450 J * hijacker_ ~hijacker@87-126-142-51.btc-net.bg
1295462865 Q * nkukard Ping timeout: 480 seconds
1295463506 Q * hijacker_ Read error: Connection timed out
1295463529 J * hijacker_ ~hijacker@87-126-142-51.btc-net.bg
1295464757 J * nkukard ~nkukard@41-133-113-185.dsl.mweb.co.za
1295467629 Q * Weihnachtsmann Ping timeout: 480 seconds
1295467635 J * Weihnachtsmann josef@ip-95-223-36-117.unitymediagroup.de
1295468411 Q * oli71 Quit: http://www.mibbit.com ajax IRC Client
1295468768 Q * dna Quit: Verlassend
1295469919 Q * alpha_one_x86 Quit: KVIrc Equilibrium 4.1.1, revision: 5206, sources date: 20101102, built on: 2010-12-29 12:21:01 UTC http://www.kvirc.net/
1295470069 J * trippeh_ atomt@uff.ugh.no
1295470185 Q * trippeh Ping timeout: 480 seconds
1295470406 J * cuba33ci_ ~cuba33ci@111-240-169-203.dynamic.hinet.net
1295470759 Q * cuba33ci Ping timeout: 480 seconds
1295470763 N * cuba33ci_ cuba33ci
1295470835 J * manana ~mayday090@84.17.25.149
1295470846 Q * petzsch Quit: Leaving.
1295471275 M * Guy- is some special guest capability required for guest processes to be able to drop linux capabilities?
1295471287 M * Guy- prctl() fails with EPERM for me
1295471572 J * petzsch ~markus@dslb-088-075-175-221.pools.arcor-ip.net
1295472226 M * daniel_hozac what's it trying to "drop" and set itself to?
1295472259 M * daniel_hozac is it trying to PR_CAPBSET_DROP?
1295472337 Q * bonbons Quit: Leaving
1295472753 Q * Piet Remote host closed the connection
1295472830 J * Piet ~Piet__@28IAAB6TJ.tor-irc.dnsbl.oftc.net
1295473299 M * Guy- meanwhile I gave the guest SETPCAP and now my capsh command line (from libcap2-bin) works
1295473322 M * Guy- capsh --drop=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_adm ...
1295473328 M * Guy- ... in,cap_setpcap,34 --print
1295473349 Q * petzsch Quit: Leaving.
1295473371 M * Guy- unfortunately I don't know what it's doing because strace doesn't decode the PR_ constant
1295473446 M * Guy- however, compartment(1) still fails:
1295473447 M * Guy- capset(0x20071026, 0, {CAP_SETGID|CAP_SETUID, CAP_SETGID|CAP_SETUID, CAP_SETGID|CAP_SETUID}) = -1 EPERM (Operation not permitted)
1295473464 Q * manana Remote host closed the connection
1295474144 Q * hijacker_ Quit: Leaving
1295475321 Q * Piet Ping timeout: 480 seconds
1295475336 M * Guy- I'm actually looking for a way to start a process as a non-root user but with the cap_setuid and cap_setgid capability in a vserver guest
1295475717 N * Bertl_zZ Bertl
1295476121 J * Piet ~Piet__@28IAAB6UR.tor-irc.dnsbl.oftc.net
1295476481 M * Bertl Guy-: what's the point in running as non root with CAP_SETUID and CAP_SETGID ?
1295476539 M * Guy- I'd like to start apache as non-root and give it the ability to start wsgi daemons as different users
1295476593 M * Bertl well, but apache can become 'root' at any time then?
1295476611 M * Bertl (so why not have it running as root in the first place?)
1295476634 M * Guy- it could become 'root' but still not have the full capability set of root
1295476652 M * Bertl then let it run as root, but reduce the capset, no?
1295476669 M * Guy- yes, that's the other possible approach
1295476768 M * Guy- otoh, I'm wondering how much this is really worth as a security measure, because being able to overwrite root's files is pretty much a full compromise
1295476800 M * Guy- (and if you have cap_setuid, you can switch to root and thus overwrite root's files)
1295476843 N * melbar melbar_oO
1295476862 M * daniel_hozac right...
1295476868 M * Bertl yes, in the long run not much security left ...
1295476868 M * daniel_hozac like make /bin/su something real nasty.
1295476923 M * Guy- so there is no real way then to allow apache to switch users without retaining the possibility of a root compromise...
1295476931 M * Bertl the usual approach for this scenario is to have a trusted exec inbetween with the necessary suid which switches to the 'new' user before doing anything else
1295476958 M * Guy- but that would have to be apache itself, wouldn't it
1295476997 M * Bertl could be something proxying for apache or something providing data via a pipe 
1295477099 M * Guy- I suppose so, but this is becoming more complex than I wanted :)
1295477142 M * Bertl maybe take one step back and rething what you actually want to accomplish instead of how?
1295477150 M * Bertl *think
1295477210 Q * imcsk8 Remote host closed the connection
1295477267 M * Guy- I want to run two wsgi applications as two separate users, preferably without running anything as root and preferably without running two apache instances
1295477302 M * Guy- but it looks like having two apache instances is the simplest/cleanest solution after all
1295477306 M * Bertl apache has virtual host support with different users, IIRC
1295477321 M * Guy- yes, sort of, but it needs to be started as root for that
1295477330 M * Bertl naturally
1295477350 M * daniel_hozac suexec doesn't work?
1295477425 M * Guy- that's for cgi scripts and SSI, isn't it?
1295477504 M * Guy- but no, it wouldn't help
1295477515 M * Guy- with mod_wsgi, apache doesn't exec() a new process, it just forks
1295477908 M * Guy- oh well, two apache instances it is
1295480572 Q * ghislain1 Quit: Leaving.
1295480934 Q * ensc|w Ping timeout: 480 seconds
1295481185 J * ensc|w ~ensc@www.sigma-chemnitz.de