Re: Automated package testing (Re: Is Sid for broken stuff? Is it too much to ask for testing the packages?)

To: debian-devel@lists.debian.org
Subject: Re: Automated package testing (Re: Is Sid for broken stuff? Is it too much to ask for testing the packages?)
From: Matt Zimmerman <mdz@debian.org>
Date: Fri, 13 Dec 2002 13:17:34 -0500
Message-id: <[🔎] 20021213181734.GG21885@mizar.alcor.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20021213165546.GC10240@wile.excelhustler.com>
References: <[🔎] 20021212000837.GC5293@thanes.org> <[🔎] 20021212013529.GA24188@quetzlcoatl.dodds.net> <[🔎] 200212111746.57828.shalehperry@attbi.com> <[🔎] 1039660986.22203.17.camel@space-ghost> <[🔎] 20021212225302.GB2186@snoopy.apana.org.au> <[🔎] 20021213040358.GB9083@mizar.alcor.net> <[🔎] 20021213144818.GB4607@wile.excelhustler.com> <[🔎] 20021213153719.GB21885@mizar.alcor.net> <[🔎] 20021213165546.GC10240@wile.excelhustler.com>

On Fri, Dec 13, 2002 at 10:55:46AM -0600, John Goerzen wrote:

> On Fri, Dec 13, 2002 at 10:37:20AM -0500, Matt Zimmerman wrote:
> > - entirely separate process table with its own working init(1), so full
> >   system startup and shutdown can be tested, as well as init itself
> 
> vserver provides this as well, with the exception that it does not provide
> virtual consoles for init.

My interpretation of the documentation was that it simply did not allow
processes in different contexts to see each other, but they shared a PID
space.  Is this incorrect?  (i.e., could there be two processed with PID 1?)

> > - shareable, copy-on-write block devices (makes repeated testing much
> > more efficient)
> 
> vserver provides some sort of support for copy-on-write filesystem trees,
> but it always seemed like an unnecessary kludge to me, so I didn't bother
> with it.

> The others I agree with.
> 
> vserver, then, has these advantages:
> 
> - faster execution
> 
> - can have direct access to the hardware on the host machine if so desired
>   (restricted by capabilities and what files are present in /dev)
> 
> - less kludgy networking setup (though it still is a bit kludgy, but
>   UML gave me no end of troubles)
> 
> > Unless their kernel patch changes the semantics of chroot() and a bunch
> > of other things, this is not at all true, and it is trivial to break out
> > of a chroot given root access.
> 
> If I understand correctly, they have not changed the semantics of chroot()
> but have instead introduced new system calls that are used to implement
> the features that are necessary.  There is a new chbind() system call that
> restricts that network ports a process can bind to (and it is
> non-reversible) and a context system that isolates processes and the like
> from each other.
> 
> The vserver system is pretty careful about executing things exactly right,
> and combined with permissions set to 000 of the parent directory of the
> chroots and reduced capabilities for child contexts, they seem to have
> accomplished what they claim without altering the semantics of chroot().
> I have not looked at the code in any detail, but I can vouch for the
> common attacks (cd .. for instance) not working.

>From what I see, they seem to rely on 1) capabilites, and 2) this mode-000
patch.  I am not certain that this combination closes all publicly known
chroot escapes, much less all possible ones.  Their FAQ:

http://www.solucorp.qc.ca/howto.hc?projet=vserver&id=62

seems to only address two common methods; I do not know that anyone has even
investigated whether further escapes from vserver are possible.

Security concerns aside, I'd like to see someone implement similar ideas in
vserver alongside what I want to do with UML, to see how they compare in
practice.

-- 
 - mdz

Reply to:

Follow-Ups:
- Re: Automated package testing (Re: Is Sid for broken stuff? Is it too much to ask for testing the packages?)
  - From: John Goerzen <jgoerzen@complete.org>

References:
- Is Sid for broken stuff? Is it too much to ask for testing the packages?
  - From: Marek Habersack <grendel@debian.org>
- Re: Is Sid for broken stuff? Is it too much to ask for testing the packages?
  - From: Steve Langasek <vorlon@netexpress.net>
- Re: Is Sid for broken stuff? Is it too much to ask for testing the packages?
  - From: Sean 'Shaleh' Perry <shalehperry@attbi.com>
- Re: Is Sid for broken stuff? Is it too much to ask for testing the packages?
  - From: Colin Walters <walters@debian.org>
- Re: Is Sid for broken stuff? Is it too much to ask for testing the packages?
  - From: Brian May <bam@debian.org>
- Automated package testing (Re: Is Sid for broken stuff? Is it too much to ask for testing the packages?)
  - From: Matt Zimmerman <mdz@debian.org>
- Re: Automated package testing (Re: Is Sid for broken stuff? Is it too much to ask for testing the packages?)
  - From: John Goerzen <jgoerzen@complete.org>
- Re: Automated package testing (Re: Is Sid for broken stuff? Is it too much to ask for testing the packages?)
  - From: Matt Zimmerman <mdz@debian.org>
- Re: Automated package testing (Re: Is Sid for broken stuff? Is it too much to ask for testing the packages?)
  - From: John Goerzen <jgoerzen@complete.org>

Prev by Date: Re: gsview
Next by Date: Re: Bug#172189: ITP: openscenegraph -- C++/OpenGL based graphics development library.
Previous by thread: Re: Automated package testing (Re: Is Sid for broken stuff? Is it too much to ask for testing the packages?)
Next by thread: Re: Automated package testing (Re: Is Sid for broken stuff? Is it too much to ask for testing the packages?)
Index(es):
- Date
- Thread