Checking for secure chroot barrier

author: Silvio Rhatto <rhatto@riseup.net> 2009-12-26 18:14:10 -0200
committer: Silvio Rhatto <rhatto@riseup.net> 2009-12-26 18:14:10 -0200
commit: 615a9e08f69335d46695db4748725fcc5b4393b8 (patch)
tree: 7ce68d96a1c02aa3773b54465c47602222a61176
parent: bf93546dd04c4a10f7eaa85da667941eaeda31c8 (diff)
download: puppet-virtual-615a9e08f69335d46695db4748725fcc5b4393b8.tar.gz
puppet-virtual-615a9e08f69335d46695db4748725fcc5b4393b8.tar.bz2
1 files changed, 7 insertions, 0 deletions
diff --git a/manifests/vserver.pp b/manifests/vserver.pp
index 4c1578d..3609fb1 100644
--- a/manifests/vserver.pp
+++ b/manifests/vserver.pp
@@ -226,6 +226,13 @@ define vserver($ensure, $context, $in_domain = '', $mark = '', $legacy = false,
       require => Exec["vs_create_${vs_name}"];
   }
 
+  # ensure a secure chroot barrier
+  # we have to do it for each vserver, see
+  # http://linux-vserver.org/Secure_chroot_Barrier#Solution:_Secure_Barrier
+  exec { "setattr --barrier /etc/vservers/${vs_name}/vdir/../":
+    unless => "showattr /etc/vservers/${vs_name}/vdir/../ | grep -- '----Bui- /etc/vservers/${vs_name}/vdir/../$'"
+  }
+
   case $ensure {
     present: {
       # don't start or stop the vserver, just make sure it exists, we just run a dummy status test here
author	Silvio Rhatto <rhatto@riseup.net>	2009-12-26 18:14:10 -0200
committer	Silvio Rhatto <rhatto@riseup.net>	2009-12-26 18:14:10 -0200
commit	615a9e08f69335d46695db4748725fcc5b4393b8 (patch)
tree	7ce68d96a1c02aa3773b54465c47602222a61176
parent	bf93546dd04c4a10f7eaa85da667941eaeda31c8 (diff)
download	puppet-virtual-615a9e08f69335d46695db4748725fcc5b4393b8.tar.gz puppet-virtual-615a9e08f69335d46695db4748725fcc5b4393b8.tar.bz2