vserver path leak?

Hi all,
An email I meant to send some weeks but, but forgot until the other
vserver thread came up.

I'm wondering if this is a security issue worth worrying over.
Situation:
- Host is testing, running 2.6.26-2-vserver-686
- both vservers are running stable

In one vserver I had cd'd into /root/icecat, and built a package. I
decided I wanted the package in the other vserver, so I moved it from
the host system into the /root/ directory in the 2nd vserver.

 `mv /var/lib/vservers/autobuilders/root/icecat/ /var/lib/vservers/buildvserver/root/`

when I cd'd out of /root/icecat in the first vserver, I was presented
with something that looked like a combination of both paths:
 /var/lib/vservers/autobuilders/lib/vservers/buildvserver

The suggestion in #vserver was "if you manage to get a host path on a
recent (non broken, i.e. non-debian :) kernel and util-vserver, then it
is considered a bug and will be fixed ASAP ... because that basically
means that the namespace isolation is not working properly"

Is this a valid bug? Is there some debianisms involved that could cause
the issues, or is it just another upstream who doesnt like "unoffical"
packages? :)
kk

--
Karl Goetz, (Kamping_Kaiser / VK5FOSS)
Debian contributor / gNewSense Maintainer
http://www.kgoetz.id.au
No, I won't join your social networking group

* Karl Goetz <karl@...> [2009-06-01 23:31-0400]:
> The suggestion in #vserver was "if you manage to get a host path on a
> recent (non broken, i.e. non-debian :) kernel and util-vserver, then it
> is considered a bug and will be fixed ASAP ... because that basically
> means that the namespace isolation is not working properly"
>
> Is this a valid bug? Is there some debianisms involved that could cause
> the issues, or is it just another upstream who doesnt like "unoffical"
> packages? :)

Only one way to find out, build a vanilla upstream, with the patch and
find out.

However, I cannot reproduce what you have seen, using the same kernel.

micah

ps - upstream doesn't like unofficial packages either :)

On Tue, 2 Jun 2009 00:14:45 -0400
Micah Anderson <micah@...> wrote:

Thanks for your response, sorry about my delay getting back to you.
Odd. I've just done it again, using the same two vhosts.
(sorry about the wrapping)

sidvs:~/debomatic/Debomatic#

wesnoth:~#
mv /home/vservers/sidvs/root/debomatic /home/vservers/autobuilders/root/

sidvs:~/debomatic/Debomatic# cd ..
sidvs:/home/vservers/sidvs/vservers/autobuilders/root/debomatic#

wesnoth is the host.


Ah well, I might let this one slip past - I dont have time or
inclination to build upstreams releases atm.

>
> micah
>
> ps - upstream doesn't like unofficial packages either :)
>

Such is life!
kk

--
Karl Goetz, (Kamping_Kaiser / VK5FOSS)
Debian contributor / gNewSense Maintainer
http://www.kgoetz.id.au
No, I won't join your social networking group

* Karl Goetz <karl@...> [2009-06-10 03:44-0400]: Sounds like you have something funny going on in your guest's fstab,
either a bind mount or similar... What does your
/etc/vservers/sidvs/fstab have in it?

micah

On Wed, 10 Jun 2009 11:05:13 -0400
Micah Anderson <micah@...> wrote:

> * Karl Goetz <karl@...> [2009-06-10 03:44-0400]:
> > On Tue, 2 Jun 2009 00:14:45 -0400
> > Micah Anderson <micah@...> wrote:

wesnoth:~# cat /etc/vservers/sidvs/fstab
none /proc proc defaults        0 0
none /tmp tmpfs size=16m,mode=1777      0 0
none /dev/pts devpts gid=5,mode=620          0 0

The autobuilders fstab is the same as that one.
kk

>
> micah


--
Karl Goetz, (Kamping_Kaiser / VK5FOSS)
Debian contributor / gNewSense Maintainer
http://www.kgoetz.id.au
No, I won't join your social networking group

* Karl Goetz <karl@...> [2009-06-11 08:25-0400]: Although your fstab looks fine, you have some odd things going on that
I'm not sure I totally understand, for example it seems like your
vserver root is no longer in /var/lib/vservers, but rather in /home.

I think that jumping on the #vserver channel on oftc, or posting to that
list will probably get you more debugging advice than I can offer. I'd
like to know what is causing this, but I'm having a hard time debugging
it because I cannot replicate it with my setup.

m

On Thu, 11 Jun 2009 11:35:17 -0400
Micah Anderson <micah@...> wrote:

> * Karl Goetz <karl@...> [2009-06-11 08:25-0400]:
> > On Wed, 10 Jun 2009 11:05:13 -0400
> > Micah Anderson <micah@...> wrote:
> >
> > > * Karl Goetz <karl@...> [2009-06-10 03:44-0400]:
> > > > On Tue, 2 Jun 2009 00:14:45 -0400
> > > > Micah Anderson <micah@...> wrote:
> >
I moved it - my /var/ is quite small.

>
> I think that jumping on the #vserver channel on oftc, or posting to
> that list will probably get you more debugging advice than I can
> offer. I'd like to know what is causing this, but I'm having a hard
> time debugging it because I cannot replicate it with my setup.

I was told not to use a broken debian version when asking on #vserver,
so I'll probably leave trying to debug this properly until I have time
to rebuild from upstream source.

Thanks for taking a look at it!
kk

>
> m
>


--
Karl Goetz, (Kamping_Kaiser / VK5FOSS)
Debian contributor / gNewSense Maintainer
http://www.kgoetz.id.au
No, I won't join your social networking group