From 615a9e08f69335d46695db4748725fcc5b4393b8 Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Sat, 26 Dec 2009 18:14:10 -0200
Subject: Checking for secure chroot barrier

---
 manifests/vserver.pp | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'manifests')

diff --git a/manifests/vserver.pp b/manifests/vserver.pp
index 4c1578d..3609fb1 100644
--- a/manifests/vserver.pp
+++ b/manifests/vserver.pp
@@ -226,6 +226,13 @@ define vserver($ensure, $context, $in_domain = '', $mark = '', $legacy = false,
       require => Exec["vs_create_${vs_name}"];
   }
 
+  # ensure a secure chroot barrier
+  # we have to do it for each vserver, see
+  # http://linux-vserver.org/Secure_chroot_Barrier#Solution:_Secure_Barrier
+  exec { "setattr --barrier /etc/vservers/${vs_name}/vdir/../":
+    unless => "showattr /etc/vservers/${vs_name}/vdir/../ | grep -- '----Bui- /etc/vservers/${vs_name}/vdir/../$'"
+  }
+
   case $ensure {
     present: {
       # don't start or stop the vserver, just make sure it exists, we just run a dummy status test here
-- 
cgit v1.2.3