Bug 56171

Summary:	sys-kernel/vserver-sources Context procfs shared permissions flaw
Product:	Gentoo Security	Reporter:	Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component:	Kernel	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	plasmaroo
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
URL:	http://www.securityfocus.com/archive/1/367977
Whiteboard:	[ Upstream ]
Package list:		Runtime testing required:	---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-07-05 14:02:50 UTC

Description|
-----------+

While auditing and experimenting with VServer procfs and vproc security
we discovered a problem sharing permissions on the procfs mounted
directories:

Within any context users are still able to change permissions on /proc,
both access permission and ownership. That is just fine as many people
would like to restrict access to /proc to the root user or a group of
trusted users.

But as changes to a procfs mountpoint do not apply to the mountpoint
itself but to procfs in general, these changes affect all contexts
(VServers) and even the host system.

All tests were done against the stable branch (1.2x) but regarding to
Herbert Poetzl, the problem exists on both devel branches (1.3.x,
1.9.x), too.

Version 1.28 (stable branch) resolves this problem.

Comment 1 Tim Yamin (RETIRED) gentoo-dev

2004-07-07 11:23:24 UTC

I'm waiting for the upstream VServer depelopers to release a fixed version of the 1.3 branch, I'll add it in when they do...

Comment 2 Tim Yamin (RETIRED) gentoo-dev

2004-07-09 06:15:23 UTC

Removed the development branch and added in 1.28; closing this bug as FIXED. I'll address this issue in the next batch of kernel announcements...