1409877683 J * thierryp ~thierry@home.parmentelat.net 1409878168 Q * thierryp Ping timeout: 480 seconds 1409879747 Q * zerick Read error: Operation timed out 1409881283 J * thierryp ~thierry@home.parmentelat.net 1409881768 Q * thierryp Ping timeout: 480 seconds 1409882667 J * fisted_ ~fisted@xdsl-84-44-220-207.netcologne.de 1409882668 Q * fisted Read error: Connection reset by peer 1409882685 N * fisted_ fisted 1409884844 Q * geb Ping timeout: 480 seconds 1409884882 J * thierryp ~thierry@2a01:e35:2e2b:e2c0:b5a3:37e4:520:8e25 1409885367 Q * thierryp Ping timeout: 480 seconds 1409885890 J * geb ~geb@mars.gebura.eu.org 1409886148 Q * hijacker Read error: Connection timed out 1409886183 J * hijacker ~hijacker@bgva.sonic.taxback.ess.ie 1409888482 J * thierryp ~thierry@home.parmentelat.net 1409888964 Q * thierryp Ping timeout: 480 seconds 1409890819 M * Bertl off to bed now ... have a good one everyone! 1409890833 N * Bertl Bertl_zZ 1409892082 J * thierryp ~thierry@2a01:e35:2e2b:e2c0:1c6e:48c9:aa06:37c6 1409892563 Q * thierryp Ping timeout: 480 seconds 1409894329 J * thierryp ~thierry@home.parmentelat.net 1409894814 Q * thierryp Ping timeout: 480 seconds 1409894872 Q * karasz Ping timeout: 480 seconds 1409896865 J * thierryp ~thierry@zebra.inria.fr 1409897173 J * Ghislain ~aqueos@adsl1.aqueos.com 1409898782 Q * thierryp Remote host closed the connection 1409899130 J * thierryp_ ~thierry@zebra.inria.fr 1409899162 Q * thierryp_ Remote host closed the connection 1409900005 J * thierryp ~thierry@zebra.inria.fr 1409900557 Q * thierryp Ping timeout: 480 seconds 1409901180 Q * voegelas Remote host closed the connection 1409902135 J * voegelas ~voegelas@www.andreasvoegele.com 1409905017 J * BenG ~BenG@cpc29-aztw22-2-0-cust128.18-1.cable.virginm.net 1409905265 J * thierryp ~thierry@zebra.inria.fr 1409906311 M * BenG hey all 1409906320 M * BenG configuring 3.14 kernel now 1409906340 M * BenG I'll pop in with some config options as they come up 1409906513 M * BenG " User namespace (USER_NS) [N/y/?] n" 1409906533 M * BenG if I turned that on would it conflict with Vserver? 1409906934 M * BenG CC_STACKPROTECTOR_REGULAR selected - would anyone have prepared CC_STACKPROTECTOR_STRONG 1409906936 M * BenG ? 1409906950 M * BenG (preferred) 1409906955 M * renihs thats gcc dependend 1409906970 M * BenG I'll be using GCC 1409906996 M * renihs gcc version dependend 1409907120 M * BenG do you mean the "strong" option? 1409907184 M * renihs i mean both options, regular requires 4.8, strong will require 4.9 1409907194 M * BenG oh 1409907198 M * BenG I'm on 4.7 1409907203 M * BenG Debian Wheezy 1409907211 M * renihs then neither are a valid option 1409907230 M * BenG I've had stack protection on in previous builds though 1409907262 M * BenG so the other option is CC_STACKPROTECTOR_NONE 1409907268 M * BenG but that doesn't sound good 1409907351 M * renihs well, look at the help, says from 4.2 assuming your gcc has been compiled with stack-protector 1409907355 M * renihs for regular 1409907366 M * renihs i suppose you can enable regular and see if it barf 1409907428 M * BenG yeah I will 1409907460 M * BenG so what would be the equivalent of the s CC_STACKPROTECTOR option? 1409907463 M * renihs This feature requires gcc version 4.2 or above, or a distribution gcc with the feature backported ("-fstack-protector") 1409907601 M * BenG NF_TABLES_INET - I'm saying yes 1409907620 M * BenG NF_TABLES_INET - I'm saying module 1409908605 M * BenG right OK, that's all configured, I'll start compile and await the failure due to the GCC option 1409908734 M * renihs shouldnt, assuming debian patches their gcc with stack-protector 1409908825 M * BenG OK 1409908845 M * BenG but 4.7 would have that available anyway yes? 1409908904 M * renihs i really have no idea how the debian compilers are patched 1409908931 M * renihs ask your distro? must be documented 1409909137 Q * thierryp Remote host closed the connection 1409909435 M * renihs seems to be a mess, did a few googles and results are less then conclusive :) 1409909456 M * renihs there also seem to have been a few "regressions", disabling stack-protection actually it seems 1409909465 M * renihs probably best way is to try :) 1409909643 M * BenG seems to be compiling fine 1409909684 M * renihs well, it probably would compile even when gcc isnt compiled with protection, just dropping it, no idea 1409909699 M * BenG "i really have no idea how the debian compilers are patched" "seems to be a mess" - sounds about right 1409909714 M * renihs i just tried for 5 minutes to figure out if debian has those patches and the answer seems to be "maybe" 1409909733 M * renihs if in doubt compile yourself or test the overflow smashing feature practically 1409909966 M * renihs seems like since 4.6 it should be in there no matter what 1409909980 M * renihs or 4.7 1409910085 M * BenG "DIST's current policy is to closely follow the upstream development and 1409910085 M * BenG +only apply a minimal set of patches (which are summarized in the README.Debian 1409910085 M * BenG +document)." 1409910097 M * BenG I'll have a look there 1409910419 M * renihs well, if you care about security so much, next step would be hardening :) 1409910432 M * renihs grsec patches or similiar :) 1409910574 M * BenG stack protection is pretty basic protection surely 1409910590 M * BenG the GRSEC patch isn't well maintained at the moment 1409910620 M * renihs it isnt? 1409910620 M * BenG and the scores are in: there are 73 patches to wheezy's GCC-4.7 1409910646 M * BenG renihs, not for the vserver patched kernel, SFAIK 1409911423 J * thierryp ~thierry@zebra.inria.fr 1409911495 J * thierryp_ ~thierry@zebra.inria.fr 1409911495 Q * thierryp Read error: Connection reset by peer 1409911793 M * renihs yeah, that is true, forgot i am in #vserver :) 1409911794 J * karasz ~karasz@00015555.user.oftc.net 1409912529 N * AbyssOne a1-away 1409913903 Q * Aiken Remote host closed the connection 1409913914 Q * BenG Quit: I Leave 1409914626 N * Bertl_zZ Bertl 1409914636 M * Bertl morning folks! 1409914679 Q * thierryp_ Ping timeout: 480 seconds 1409914821 J * alpha_one_x86 ~kvirc@190.186.218.106 1409914856 M * alpha_one_x86 Hello, I have: mount -o bind /folder1/ /folder2/ : mount: permission denied 1409915096 M * Bertl sounds like you're missing a capability there? 1409915117 J * BenG ~BenG@cpc29-aztw22-2-0-cust128.18-1.cable.virginm.net 1409915124 M * alpha_one_x86 exact, but what CAP allow that's? 1409915238 M * Bertl in the ccaps set, SECURE_MOUNT and for remount, SECURE_REMOUNT should suffice 1409915643 M * alpha_one_x86 but that's allow mount /dev/md2 into the guest... 1409915823 J * thierryp ~thierry@zebra.inria.fr 1409916208 M * Bertl for mounting or bind mounting into the guest namespace you do not need any ccaps, it can be done from the guests admin namespace 1409916236 M * Bertl the ccaps are only needed if you want the guest to be able to mount/remount stuff 1409916492 Q * BenG Quit: I Leave 1409916702 M * alpha_one_x86 mount -o bind /folder1/ /folder2/ : mount: permission denied -> I do it into the guest as root... 1409916811 M * Bertl which means that you do not have the proper capabilities, as I said, but the question is more, what do you actually want to do? 1409916889 M * Bertl do you a) want to allow the guest to do such mounts? or b) do the mount so that the guest will see it? 1409916895 M * alpha_one_x86 as root, be able into the guest to mount a bind 1409916907 M * alpha_one_x86 but not mount devices 1409916938 M * Bertl there should be no mountable devices in a properly configured guest 1409916943 M * alpha_one_x86 mount so that the guest will see it, then never go out of the guest 1409917384 M * Bertl to mount it once when the guest starts you simply put the bind mount entry into the guest's fstab 1409917413 M * Bertl to mount it as host admin at a later time without restarting the guest, you enter the guest's admin space and do the bind mount there 1409917423 M * Bertl (it will propagate into the guest) 1409918020 M * alpha_one_x86 and to mount as guest admin without put into fstab? 1409918565 M * Bertl if you want to allow root inside the guest to do mounts, you need to give the ccaps as mentioned before 1409918754 M * alpha_one_x86 I want allow only the bind mount, no device mount 1409918774 M * Bertl then you have to modify the kernel 1409918830 M * Bertl but note that by default a secure guest has no mountable devices and cannot create new ones, so it is rather safe that way 1409919134 M * alpha_one_x86 Then I have userspace only solution, I will use that's 1409919185 M * alpha_one_x86 another question, on lxc I use vlan, mean mac by guest, and vserver use ip (not mac) by guest, I have try do that's for lxc but I have failed 1409919197 M * alpha_one_x86 any link, info for that's? 1409919239 M * Bertl I don't think lxc supports that, but you can use network namespaces on Linux-VServer to get a network stack per guest 1409919330 M * Bertl so if you want a network stack (i.e. connect via a veth device) on Linux-VServer, you just need to configure the network namespace for that guest 1409919342 M * Bertl (recent util-vserver handles that fine) 1409919432 Q * thierryp Remote host closed the connection 1409919469 Q * Defaultti Quit: Quitting. 1409919558 J * Defaultti defaultti@lakka.kapsi.fi 1409919623 M * alpha_one_x86 ok, thanks for you help, bye 1409919630 Q * alpha_one_x86 Quit: KVIrc KVIrc Aria 4.3.1, revision: 6250, sources date: 20120701, built on: 2014-08-04 21:20:58 UTC http://www.kvirc.net/ 1409919822 J * thierryp_ ~thierry@zebra.inria.fr 1409919904 J * thierryp ~thierry@zebra.inria.fr 1409919904 Q * thierryp_ Read error: Connection reset by peer 1409928580 J * fisted_ ~fisted@xdsl-87-78-187-218.netcologne.de 1409929021 Q * fisted Ping timeout: 480 seconds 1409929023 N * fisted_ fisted 1409930442 J * zerick ~eocrospom@190.118.28.252 1409934351 J * bonbons ~bonbons@2001:a18:22a:2201:e886:46c5:fef9:c137 1409935193 Q * zerick Ping timeout: 480 seconds 1409935726 J * zerick ~eocrospom@190.118.28.252 1409937660 Q * zerick Ping timeout: 480 seconds 1409937808 Q * thierryp Remote host closed the connection 1409938126 J * zerick ~eocrospom@190.118.28.252 1409940708 Q * zerick Ping timeout: 480 seconds 1409941571 J * zerick ~eocrospom@190.118.28.252 1409941937 Q * zerick Read error: Operation timed out 1409941983 J * zerick ~eocrospom@190.118.28.252 1409943826 Q * zerick Ping timeout: 480 seconds 1409943902 J * zerick ~eocrospom@190.118.28.252 1409944977 Q * ensc|w Remote host closed the connection 1409944988 J * ensc|w ~ensc@www-old.sigma-chemnitz.de 1409945643 Q * zerick Ping timeout: 480 seconds 1409946009 J * Aiken ~Aiken@d63f.h.jbmb.net 1409946185 J * zerick ~eocrospom@190.118.30.195 1409951275 Q * bonbons Quit: Leaving 1409961510 Q * Ghislain Quit: Leaving.