> from vserver patch
>
> diff -rc2P linux-2.4.19/fs/namei.c linux-2.4.19ctx-14/fs/namei.c
> *** linux-2.4.19/fs/namei.c Tue Aug 6 15:02:24 2002
> --- linux-2.4.19ctx-14/fs/namei.c Sun Oct 13 23:58:55 2002
> ***************
> *** 153,156 ****
> --- 153,165 ----
> umode_t mode = inode->i_mode;
>
> + /*
> + A dir with permission bit all 0s is a dead zone for
> + process running in a vserver. By doing
> + chmod 000 /vservers
> + you fix the "escape from chroot" bug.
> + */
> + if ((mode & 0777) == 0
> + && S_ISDIR(mode)
> + && current->s_context != 0) return -EACCES;
> if (mask & MAY_WRITE) {
> /*
>
> I don't think that will work, especially as it seems vserver's dont
> nest.
This was just a quick and dirty fix to prevent root in a vserver from
breaking out into the "real server", that's it. chroot() inside a
vserver works exactly the same way as without vservers.
One negative sideeffect is that root in a vserver can't access any
directory with all 0s in the permission bits. But that's better than
having root in a vserver being able to go out into the "real server".
I'm not saying this is a very good solution but I think it at least does
what it's supposed to do in a dirty way.
-- /MartinNever argue with an idiot. They drag you down to their level, then beat you with experience. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/