Hello On Wed, Oct 12, 2005 at 08:32:56PM -0400, micah wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > Ok, I've done a few things. First I've tested and determined a number of > problems with the testfs.sh-0.99 that was being used. Bertl has > incorporated my changes, and fixed a number of others and has made > testfs.sh-0.11 which more accurately represents successes.
Ok, good to know. > Additionally, I've gotten a system together with a fresh sarge install > that I could test these things. I have completed my tests with the 2.4 > kernel and kernel patch, and am limiting this reply that only, I will do > the 2.6 tests next and report those back as separate findings. Really nice. > Ola Lundqvist wrote: > > >reassign 329090 kernel-patch-vserver > >thanks > > You need to CC control@ in order for these commands to take affect. If > you will notice, this bug is still on util-vserver. I decided to not reassign it but obviously forgot to remove those lines... > However, as you will find from my exhaustive tests below, it seems to > remain a bug with util-vserver, and should not be changed (at least for > 2.4, once I have done tests on 2.6 we will know if this bug needs to be > cloned and the 2.4 issues stay with util-vserver, and the 2.6 versions > go to the kernel-patch). Decided as I figured that this could be the case. > > I have only tested with ext2 and ext3 on my systems on a 2.4.27 kernel > > patched a long time ago. Do not remember when. > > This isn't going to help us too much. You are basically saying that this > is a 2.4.27 kernel, but not which debian version, and you aren't > specifying which vserver kernel-patch you are running. Without that > information, it is really hard to correlate. I know. I just wanted to have some more test data with something else to try to determine something from it. > However, I've done tests with the current versions that are in sarge > now. See below. Ok. > > 0.30.204-5sarge2 (sarge version, built on machine with no vserver support): > > [000]. xattr related tests ... > > [101]. [102]. [103]* [104]* [106]* [108]. [109]* > > [112]. [113]. [114]* [115]. [116]. [117]. [118]. [119]. > > [121]* [122]* [123]. [124]* [199]. > > My tests: > > Test #1 > Using all debian sarge componants: > kernel-source: 2.4.27-10 (debian sarge) > util-vserver: 0.30-204-5sarge2 (debian sarge) > kernel-patch: 1.9.5.3 (debian sarge) > > 103, 104, 106, 109, 121, 122 all fail on ext2, not 114 or 124 as your > tests show. > > Conclusion: either the fixes to testfs caused error 114 and 124 to go > away, or you have a different kernel-source or kernel-patch applied. > Either try again with testfs.sh-0.11 or install the latest sarge kernel > source and kernel-patch-vserver as those versions are all that matter here. I'll use your test data instead. > Test #2 > Using only debian sarge util-vserver: > kernel-source: 2.4.31 (upstream) > util-vserver: 0.30-204-5sarge2 (debian sarge) > kernel-patch: 1.2.10 (upstream) > > > 103, 104, 106, 109, 121, 122 all fail on ext2, the same as failed using > all debian sarge componants in test #1. > > Conclusion: based on the results from this test, and the previous, it is > clear that the debian kernel source and the debian kernel patch dont > make a difference here > > > 0.30.208-2 (unstable version, built on sarge host with no vserver support): > > [000]. xattr related tests ... > > [101]. [102]. [103]. [104]* [106]. [108]. [109]. > > [112]. [113]. [114]* [115]. [116]. [117]. [118]. [119]. > > [121]. [122]* [123]. [124]* [199]. > > My tests: > > Test #3 > Using debian sarge componants with upstream util-vserver: > kernel-source: 2.4.27-10 (debian sarge) > util-vserver: 0.30-208+fix03 (upstream) > kernel-patch: 1.9.5.3 (debian sarge) > > Only test 106 fails... Not 104, 114, 122 or 124. > > Conclusion: either the fixes to testfs caused 104, 114, 122, 124 to go > away or you have a different kernel-source or kernel-patch applied, try > with testfs.sh-0.11 to see, or just try with a current sarge kernel and > patch since that is all that matters here. > Test #4 > Using all upstream componants: > kernel-source: 2.4.31 (upstream) > util-vserver: 0.30-208+fix03 (upstream) > kernel-patch: 1.2.10 (upstream) > > Only test 106 fails, same as the previous test, when we use the debian > sarge kernel-source and kernel-patch. > > Conclusion: Based on the results of this test, and the previous, it is > clear that the debian sarge kernel source and debian sarge kernel patch > don't make a difference here either, the problem has been isolated to > util-vserver 0.30-204-5sarge2 in sarge. If this is actually a problem, I > do not know, this definatetly needs to be determined. Additionally, test > 106 could be in error, this should also be checked. Good to know. > > The above tests are only done with ext2, I am not sure why you didn't do > the xfs, reiserfs and jfs tests, but there is no need, as I have done them: > > Test #1 > Using all debian sarge componants: > kernel-source: 2.4.27-10 (debian sarge) > util-vserver: 0.30-204-5sarge2 (debian sarge) > kernel-patch: 1.9.5.3 (debian sarge) > > ext3 failures: 103, 104, 106, 109, 121, 122 (note: same as ext2 in test #1) > xfs failures: 103, 104, 106, 109, 114, 115, 117, 121, 122, 124 > reiserfs failures: 103, 104, 106, 109, 118, 119, 121, 122 > jfs failures: 103, 104, 106, 109, 112, 113, 114, 116, 118, 119, 121, > 122, 123, 124 > > Test #2 > Using only debian sarge util-vserver: > kernel-source: 2.4.31 (upstream) > util-vserver: 0.30-204-5sarge2 (debian sarge) > kernel-patch: 1.2.10 (upstream) > > ext3 failures: 103, 104, 106, 109, 121, 122 (note: same as test #1) > xfs failures: 103, 104, 106, 109, 114, 115, 117, 121, 122, 124 (note: > same as test #1) > reiserfs failures: 103, 104, 106, 109, 118, 119, 121, 122 (note: same as > test #1) > jfs failures: 103, 104, 106, 109, 112, 113, 114, 116, 118, 119, 121, > 122, 123, 124 (note: same as test #1) > > Conclusion: All tests had the same results as test #1 the conclusion > reached originally still holds: it is clear that the debian kernel > source and the debian kernel patch dont make a difference here > > Test #3 > Using debian sarge componants with upstream util-vserver: > kernel-source: 2.4.27-10 (debian sarge) > util-vserver: 0.30-208+fix03 (upstream) > kernel-patch: 1.9.5.3 (debian sarge) > > ext3 failures: 106 > xfs failures: 103, 104, 106, 114, 115, 117, 121, 122, 124 > reiserfs failures: 106, 118, 119 > jfs failures: 102, 103, 104, 106, 108, 109, 112, 113, 114, 116, 118, > 119, 121, 122, 123, 124 > > > Test #4 > Using all upstream componants: > kernel-source: 2.4.31 (upstream) > util-vserver: 0.30-208+fix03 (upstream) > kernel-patch: 1.2.10 (upstream) > > ext3 failures: 106 (note: same as test #3) > xfs failures: 103, 104, 106, 114, 115, 117, 121, 122, 124 (note: same as > test #3) > reiserfs failures: 106, 118, 119 (note: same as test #3) > jfs failures: 102, 103, 104, 106, 108, 109, 112, 113, 114, 116, 118, > 119, 121, 122, 123, 124 (note: same as test #3) > > Conclusion: using *all* upstream pieces, the same failures occur when > using debian kernel source and kernel patch. This leads me to believe > that either the upstream kernel source is broken, the upstream linux > vserver patch is broken, or most likely the testfs is not working > properly for these tests. > > > So my conclusion is that where you build the binary (if it is a i386 > > machine) > > do not give any difference from a security point of view. > > I agree, your test results show no difference, I dont believe this has > anything to do with it. I just wanted to have some proof that whether I _compile_ the util-vserver software on a machine with vserver enabled kernel or not can make any difference from a security perspective. I thought so in the beginning as recompiling it could give such indication. Thanks a lot for your help. Now I just have to figure out what do help so I can backport it to sarge... Regards, // Ola > Micah > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) > > iD8DBQFDTas39n4qXRzy1ioRAu9hAJoD9VmatLu5KqHy4/yKAcs8HlgjAACgpI7U > DFzIQiA+iFtN608yD4MRnzE= > =0HBa > -----END PGP SIGNATURE----- > > -- --------------------- Ola Lundqvist --------------------------- / [EMAIL PROTECTED] Annebergsslingan 37 \ | [EMAIL PROTECTED] 654 65 KARLSTAD | | +46 (0)54-10 14 30 +46 (0)70-332 1551 | | http://www.opal.dhs.org UIN/icq: 4912500 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --------------------------------------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
