Debian Bug report logs - #329087
kernel-patch-vserver: be able to do chroot escape

version graph

Package: kernel-patch-vserver; Maintainer for kernel-patch-vserver is (unknown);

Reported by: Andrew Lee <andrew@linux.org.tw>

Date: Mon, 19 Sep 2005 14:48:10 UTC

Severity: critical

Tags: moreinfo, patch, sarge, security

Fixed in versions kernel-patch-vserver/2.3, kernel-patch-vserver/1.9.5.4

Done: Micah Anderson <micah@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, andrew@linux.org.tw, herbert@13thfloor.at, Debian Security Team <team@security.debian.org>, Micah Anderson <micah@debian.org>:
Bug#329087; Package kernel-patch-vserver. Full text and rfc822 format available.

Acknowledgement sent to Andrew Lee <andrew@linux.org.tw>:
New Bug report received and forwarded. Copy sent to andrew@linux.org.tw, herbert@13thfloor.at, Debian Security Team <team@security.debian.org>, Micah Anderson <micah@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Andrew Lee <andrew@linux.org.tw>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: kernel-patch-vserver: be able to do chroot escape
Date: Mon, 19 Sep 2005 21:29:06 +0800
Package: kernel-patch-vserver
Severity: critical
Tags: sarge
Justification: root security hole

Dear maintainer(s),

I found the kernel-patch-vserver and util-vserver in sarge can not pass
the testfs.sh script[1] which provide by upstream author. After some more
tests, upstream author discoveryed this is a security hole.

Here is what I did in my test:
# ls -lda /var/lib/vservers/XXXX/..
d---------  8 root root 4096 Sep 19 19:46 /var/lib/vservers/XXXX/../
# showattr -d /var/lib/vservers/XXXX/..
---BU-- /var/lib/vservers/XXXX/..
# lsattr -d /var/lib/vservers/XXXX/..
---------------t- /var/lib/vservers/XXXX/..

ssh into a guest and then starting the root exploit[2] inside a guest now
gives: Exploit seems to work. =)

And then I can be able to access the host, can be able to read /etc/shadow
and can be able to create /test.txt in the host.

[1] http://vserver.13thfloor.at/Stuff/SCRIPT/testfs.sh-0.09
[2] http://vserver.13thfloor.at/Stuff/rootesc.c

-- System Information:
Debian Release: 3.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27-10vserver
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)



Information forwarded to debian-bugs-dist@lists.debian.org, Micah Anderson <micah@debian.org>:
Bug#329087; Package kernel-patch-vserver. Full text and rfc822 format available.

Acknowledgement sent to Micah <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to Micah Anderson <micah@debian.org>. Full text and rfc822 format available.

Message #10 received at 329087@bugs.debian.org (full text, mbox):

From: Micah <micah@riseup.net>
To: Andrew Lee <andrew@linux.org.tw>, 329087@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#329087: kernel-patch-vserver: be able to do chroot escape
Date: Thu, 29 Sep 2005 17:36:57 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

tag 329087 +moreinfo
thanks


Andrew Lee wrote:
> I found the kernel-patch-vserver and util-vserver in sarge can not pass
> the testfs.sh script[1] which provide by upstream author. 

Please tell me how you run this script and what failures you get, also
this is a destructive test, correct?

> After some more
> tests, upstream author discoveryed this is a security hole.
> 
> Here is what I did in my test:
> # ls -lda /var/lib/vservers/XXXX/..

Did you first mkdir /var/lib/vservers/XXXX? I assume you did, otherwise
you will get an error that XXXX does not exist. Although perhaps XXXX is
supposed to be a vserver? I will continue assuming that is the case.

> d---------  8 root root 4096 Sep 19 19:46 /var/lib/vservers/XXXX/../

You would only get a trailing slash if you actually did:
# ls -lda /var/lib/vservers/XXXX/../

> # showattr -d /var/lib/vservers/XXXX/..
> ---BU-- /var/lib/vservers/XXXX/..

This is not what I get on my i386 system:

# showattr -d /var/lib/vservers/XXXX/..
- ---bui- /big/vservers/XXXX/..

> # lsattr -d /var/lib/vservers/XXXX/..
> ---------------t- /var/lib/vservers/XXXX/..

Also I do not get this on my system:
# lsattr -d /var/lib/vservers/XXXX/..
- ----------------- /big/vservers/XXXX/..

Please tell me what architecture you are running, what kernel version
you are running, which kernel patch you are running and how you applied
and compiled the kernel. Additionally, did you setup the chroot barrier
properly?

> ssh into a guest and then starting the root exploit[2] inside a guest now
> gives: Exploit seems to work. =)

sshing into a guest on my system and running that root exploit gives:
mkdir baz: Permission denied
chroot baz: No such file or directory

> And then I can be able to access the host, can be able to read /etc/shadow
> and can be able to create /test.txt in the host.

I think you may have set something up incorrectly, or perhaps the
util-vserver tools did not set the chroot barrier properly.

Micah
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDPF559n4qXRzy1ioRAkawAKCtdYHVQnVTeQW2WHUtpZkz7JjRQwCfc3De
m8UymU8COYdr8/8axxPJ01g=
=gWzU
-----END PGP SIGNATURE-----



Tags added: moreinfo Request was from Micah <micah@riseup.net> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Micah Anderson <micah@debian.org>:
Bug#329087; Package kernel-patch-vserver. Full text and rfc822 format available.

Acknowledgement sent to Micah <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to Micah Anderson <micah@debian.org>. Full text and rfc822 format available.

Message #17 received at 329087@bugs.debian.org (full text, mbox):

From: Micah <micah@riseup.net>
To: Micah <micah@riseup.net>, 329087@bugs.debian.org
Cc: Andrew Lee <andrew@linux.org.tw>
Subject: Re: Bug#329087: kernel-patch-vserver: be able to do chroot escape
Date: Thu, 29 Sep 2005 17:51:14 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Micah wrote:

>>>ssh into a guest and then starting the root exploit[2] inside a guest now
>>>gives: Exploit seems to work. =)
> 
> 
> sshing into a guest on my system and running that root exploit gives:
> mkdir baz: Permission denied
> chroot baz: No such file or directory

I did not realize that you have to ssh into the guest as *root* to run
this rootesc binary. If I do that I get the result:

Exploit seems to work. =)

>>>And then I can be able to access the host, can be able to read /etc/shadow
>>>and can be able to create /test.txt in the host.

However, I am *not* able to access the host, I cannot read /etc/shadow,
nor can I create /test.txt in the host.

I am going to try and speak with Bertl about this to try and narrow down
the issue.

Micah
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDPGHS9n4qXRzy1ioRAvQ7AKCiLGEqM0PJS/XxWQpaozo3V7w87gCgjgAw
Dqv5VL72cLm3J/WLL1Cz7E0=
=jPNa
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org, Micah Anderson <micah@debian.org>:
Bug#329087; Package kernel-patch-vserver. Full text and rfc822 format available.

Acknowledgement sent to Micah <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to Micah Anderson <micah@debian.org>. Full text and rfc822 format available.

Message #22 received at 329087@bugs.debian.org (full text, mbox):

From: Micah <micah@riseup.net>
To: Andrew Lee <andrew@linux.org.tw>, 329087@bugs.debian.org
Subject: Re: Bug#329087: kernel-patch-vserver: be able to do chroot escape
Date: Thu, 29 Sep 2005 18:35:58 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

When I said this:

>This is not what I get on my i386 system:
># showattr -d /var/lib/vservers/XXXX/..
>- ---bui- /big/vservers/XXXX/..

This was expected because this was actually a symlink, if I perform the
showattr on the actual directory I get this:

# showattr -d /big/vservers/XXXX/..
- ---Bui- /big/vservers/XXXX/..

Which means that the barrier is set.

Also, the rootesc.c code is dumb and says the exploit works all the time
when it doesnt, on any 2.6 setup with namespaces its going to say that
when it isn't actually successful.

Micah


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDPGxO9n4qXRzy1ioRAqDrAJ9VeAcKwiXJknYbAhsw3UFh+V5RDwCfTsIu
Vu072njgt8weQ2Xyo/ibATc=
=LHQq
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org, Micah Anderson <micah@debian.org>:
Bug#329087; Package kernel-patch-vserver. Full text and rfc822 format available.

Acknowledgement sent to Andrew Lee <andrew@linux.org.tw>:
Extra info received and forwarded to list. Copy sent to Micah Anderson <micah@debian.org>. Full text and rfc822 format available.

Message #27 received at 329087@bugs.debian.org (full text, mbox):

From: Andrew Lee <andrew@linux.org.tw>
To: Micah <micah@riseup.net>
Cc: 329087@bugs.debian.org
Subject: Re: Bug#329087: kernel-patch-vserver: be able to do chroot escape
Date: Sat, 1 Oct 2005 02:24:01 +0800
Dear Micah,

Thank you for your replies, I merged the three replies in one here  
for you. :)

在 2005/9/30 上午 5:36 時,Micah 寫到:

> Please tell me how you run this script and what failures you get, also
> this is a destructive test, correct?

The test require a loopback file or an empty partition, I did use  
lookback file which created by:
# dd bs=1024k count=1024 if=/dev/zero of=1gb.testfile
And then
# losetup /dev/loop4 1gb.testfile
# ./testfs.sh -l -t -D /dev/loop4 -M /mnt


>> # showattr -d /var/lib/vservers/XXXX/..
>> ---BU-- /var/lib/vservers/XXXX/..
>>
>
> This is not what I get on my i386 system:
>
> # showattr -d /var/lib/vservers/XXXX/..
> - ---bui- /big/vservers/XXXX/..

Yes, I assume you did the test on 2.6 kernel, cause I had got that  
with a test on 2.6 kernel.
My tested report was on a 2.4 kernel, so that explains the showattr  
shows different on 2.4 and 2.6.

>> # lsattr -d /var/lib/vservers/XXXX/..
>> ---------------t- /var/lib/vservers/XXXX/..
>>
>
> Also I do not get this on my system:
> # lsattr -d /var/lib/vservers/XXXX/..
> - ----------------- /big/vservers/XXXX/..

Bertl told me to use chattr +t to enable that before the tests.

> Please tell me what architecture you are running, what kernel version
> you are running, which kernel patch you are running and how you  
> applied
> and compiled the kernel. Additionally, did you setup the chroot  
> barrier
> properly?

I found this on i386 architecture, the version of kernel is 2.4.27  
which made by kernel-package with kernel-source-2.4.27-10 and kernel- 
patches/diffs/vserver/patch-2.4.27-9-vs1.2.10-2.diff.gz
I was following Bertl's steps to setup the chroot barrier before the  
tests:
<quote>
19:52 < Bertl> setattr --barrier /vservers/XXXX/..
setattr --barrier /vservers/XXXX/..
19:53 < Bertl> ls -lad /vservers/XXXX/..
19:53 < Bertl> d---------   11 root     root         1024 Jul  7 16:48
               /vservers/XXXX/..
19:53 < Bertl> showattr -d /vservers/XXXX/..
19:53 < Bertl> ---BU-- /vservers/XXXX/..
19:53 < Bertl> lsattr -d /vservers/XXXX/..
19:53 < Bertl> -----------t- /vservers/XXXX/..
19:53 < Bertl> (on 2.4 it is important that you verify the following)
19:54 < Bertl> the directory permissions _are_ 000, the barrier 'B' and
iunlink
               'U' is reported, the 't' flag shows up
19:54 < Bertl> ('U' and 't' are connected on 2.4)
</quote>
Above are Bertl's steps, the only thing different on my test was my  
vserver root dir is /var/lib/vservers(which is the default in Debian).

> I think you may have set something up incorrectly, or perhaps the
> util-vserver tools did not set the chroot barrier properly.

I think the util-vserver tools did not set the chroot barrier  
properly might be possible, but I did the chroot barrier again before  
the tests, so it would not be a barrier setup problem.

> However, I am *not* able to access the host, I cannot read /etc/ 
> shadow,
> nor can I create /test.txt in the host.

I think because you tested it on 2.6 kernel, if you test it on 2.4  
kernel will reproduce the problem I reported.

> I am going to try and speak with Bertl about this to try and narrow  
> down
> the issue.

Bertl asked me to file this bug, cause after I report my test results  
to him, he found it was a two years old issue and his fixed it long  
time ago.
He also asked me to try 2.4.31 with the patch from upstream, and then  
I confirmed the exploit doesn't work with upstream's patch.


>
> # showattr -d /big/vservers/XXXX/..
> - ---Bui- /big/vservers/XXXX/..
>
> Which means that the barrier is set.

Yes, on 2.6 kernel must displays like that.

> Also, the rootesc.c code is dumb and says the exploit works all the  
> time
> when it doesnt, on any 2.6 setup with namespaces its going to say that
> when it isn't actually successful.

Yes, that is a bug in the exploit, but who cares to fix exploit's  
bug? :p
Very sorry for the confusion, I didn't gave enough information that  
the exploit is only working on sarge's kernel-source-2.4.27 with the  
a patch from kernel-patch-vserver.
I found the kernel-source-2.6.8+kernel-patch-vserver in sarge doesn't  
pass the test of testfs.sh script as well, Bertl mentioned that maybe  
some security releate issue but he didn't give me a exploit for that.

-Andrew


Information forwarded to debian-bugs-dist@lists.debian.org, Micah Anderson <micah@debian.org>:
Bug#329087; Package kernel-patch-vserver. Full text and rfc822 format available.

Acknowledgement sent to Alexei Chetroi <alexei.chetroi@lexa.uniflux-line.net>:
Extra info received and forwarded to list. Copy sent to Micah Anderson <micah@debian.org>. Full text and rfc822 format available.

Message #32 received at 329087@bugs.debian.org (full text, mbox):

From: Alexei Chetroi <alexei.chetroi@lexa.uniflux-line.net>
To: 329087@bugs.debian.org
Subject: Re: Bug#329087: kernel-patch-vserver: be able to do chroot escape
Date: Thu, 6 Oct 2005 10:13:34 +0300
  Hi,

  Can confirm this. Works on debian kernel 2.4.27 with applied patch:
Virtual private servers and security contexts (vserver), from package
kernel-patch-ctx, version 2:1.2.10-1

  http://vserver.13thfloor.at/Stuff/rootesc.c
  exploit works. I'm able to escape chroot and access filesystem at my
wish.

  Doesn't work on debian kernel 2.6.8-16 with kernel-patch-vserver 2.0

-- 
Alexei Chetroi




Information forwarded to debian-bugs-dist@lists.debian.org, Micah Anderson <micah@debian.org>:
Bug#329087; Package kernel-patch-vserver. Full text and rfc822 format available.

Acknowledgement sent to micah <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to Micah Anderson <micah@debian.org>. Full text and rfc822 format available.

Message #37 received at 329087@bugs.debian.org (full text, mbox):

From: micah <micah@riseup.net>
To: 329087@bugs.debian.org, alexei.chetroi@lexa.uniflux-line.net
Subject: Re: Bug#329087: kernel-patch-vserver: be able to do chroot escape
Date: Sun, 09 Oct 2005 21:37:20 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>  Can confirm this. Works on debian kernel 2.4.27 with applied patch:
> Virtual private servers and security contexts (vserver), from package
> kernel-patch-ctx, version 2:1.2.10-1

What debian kernel-source revision are you using?

Also, you are using the package kernel-patch-ctx? Is this sarge? Because
there is no kernel-patch-ctx in sarge, only kernel-patch-vserver.

Micah


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDScXQ9n4qXRzy1ioRAqwSAJ90FICC35IO2HIZEOukNs+gEaIR+QCdEQq7
VY8m+SbCir8qVOP+Q/mGYZo=
=sY8u
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org, Micah Anderson <micah@debian.org>:
Bug#329087; Package kernel-patch-vserver. Full text and rfc822 format available.

Acknowledgement sent to opal@debian.org:
Extra info received and forwarded to list. Copy sent to Micah Anderson <micah@debian.org>. Full text and rfc822 format available.

Message #42 received at 329087@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <opal@debian.org>
To: micah@riseup.net
Cc: control@bugs.debian.org, 329087@bugs.debian.org
Subject: Re: Bug#329090: util-vserver: barrier not working, but chroot escape does
Date: Fri, 28 Oct 2005 21:22:54 +0200
reassign 329090 kernel-patch-vserver
retitle 329090 barrier not working, but chroot escape does on 2.4 kernel
tags 329090 + moreinfo
merge 329087 329090
thanks

Hi

With this information I'm now reassigning this to the kernel-patch-vserver
package and merging it to the existing bug there.

A simple fix is to simply remove the 2.4 kernel patches from the package
or maybe replace with 2.4 development branch patches (if such exist).

Regards,

// Ola

On Sun, Oct 23, 2005 at 02:53:34PM -0700, micah@riseup.net wrote:
> 
> No, these issues are not present in 2.6 (using the debian 2.6.8 and the
> debian kernel-patch-vserver, both from sarge). I am trying to find out if
> this is a kernel problem with the debian 2.4.27 kernel in sarge, or a
> vserver patch problem.
> 
> micah
> 
> > Hello
> >
> > To me it would be good to know if any of these issues are valid
> > if you use 2.6 kernel and patch from sarge?
> >
> > Regards,
> >
> > // Ola
> >
> > On Thu, Oct 13, 2005 at 07:00:27PM +0800, Andrew Lee wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Dear Micah,
> >>
> >> Thank you for your tests, I have downloaded the testfs-0.11.sh and did
> >> the similar tests as yours to help confirm the results.
> >>
> >> > Test #1
> >> > Using all debian sarge componants:
> >> > kernel-source: 2.4.27-10 (debian sarge)
> >> > util-vserver: 0.30-204-5sarge2 (debian sarge)
> >> > kernel-patch: 1.9.5.3 (debian sarge)
> >> >
> >> > 103, 104, 106, 109, 121, 122 all fail on ext2, not 114 or 124 as your
> >> > tests show.
> >> >
> >> > Conclusion: either the fixes to testfs caused error 114 and 124 to go
> >> > away, or you have a different kernel-source or kernel-patch applied.
> >> > Either try again with testfs.sh-0.11 or install the latest sarge
> >> kernel
> >> > source and kernel-patch-vserver as those versions are all that matter
> >> here.
> >>
> >> I am using all deian sarge componats, all the same version as yours,
> >> and then did the testfs.sh-0.11 by this way(I've setup a loopback file
> >> on /dev/loop0 already), before start the testfs.sh-0.11, I confirmed the
> >> barrier has proper setup(I also did this in my other tests later):
> >> # ls -lda /var/lib/vservers
> >> d---------  8 root root 4096 Oct 13 15:37 /var/lib/vservers/
> >> # showattr -d /var/lib/vservers/
> >> - ---BU-- /var/lib/vservers/
> >> # lsattr -d /var/lib/vservers
> >> - ---------------t- /var/lib/vservers
> >>
> >> # ./testfs.sh-0.11 -l -t -D /dev/loop0 -M /mnt
> >> Linux-VServer FS Test [V0.10] Copyright (C) 2005 H.Poetzl
> >> Linux 2.4.27-10vserver-confirm i686/0.30.204
> >> VCI:  <none>   (unknown)
> >> - ---
> >> testing ext2 filesystem ...
> >> [000]. xattr related tests ...
> >> [101]. [102]. [103]* [104]* [106]* [108]. [109]*
> >> [112]. [113]. [114]. [115]. [116]. [117]. [118]. [119].
> >> [121]* [122]* [123]. [124]. [199].
> >>
> >> - ---
> >> testing ext3 filesystem ...
> >> [000]. xattr related tests ...
> >> [101]. [102]. [103]* [104]* [106]* [108]. [109]*
> >> [112]. [113]. [114]. [115]. [116]. [117]. [118]. [119].
> >> [121]* [122]* [123]. [124]. [199].
> >>
> >> Same fails as you got, and I guess Bertl forgot to change the version in
> >> the script, so the script is still showing [V0.10].
> >>
> >> I also tested the exploit:
> >>
> >> # ./rootesc
> >> Exploit seems to work. =)
> >> #
> >> And then I can be able to access the host, for example, I can see the
> >> vserver's config file on host:
> >> # ls -ald /etc/vservers /var/lib/vservers/
> >> drwxr-xr-x  4 root root 4096 Sep 22 14:10 /etc/vservers
> >> d---------  8 root root 4096 Oct 13 15:37 /var/lib/vservers/
> >>
> >> > Test #2
> >> > Using only debian sarge util-vserver:
> >> > kernel-source: 2.4.31 (upstream)
> >> > util-vserver: 0.30-204-5sarge2 (debian sarge)
> >> > kernel-patch: 1.2.10 (upstream)
> >> >
> >> >
> >> > 103, 104, 106, 109, 121, 122 all fail on ext2, the same as failed
> >> using
> >> > all debian sarge componants in test #1.
> >> >
> >> > Conclusion: based on the results from this test, and the previous, it
> >> is
> >> > clear that the debian kernel source and the debian kernel patch dont
> >> > make a difference here
> >>
> >> Same here, I am using the vanilla kernel 2.4.31(from kernel.org)
> >> vserver patch 1.2.10 (upstream)
> >> util-vserver: 0.30-204-5sarge2 (debian sarge)
> >>
> >> ./testfs.sh-0.11 -l -t -D /dev/loop0 -M /mnt
> >> Linux-VServer FS Test [V0.10] Copyright (C) 2005 H.Poetzl
> >> Linux 2.4.31-vs1.2.10 i686/0.30.204
> >> VCI:  <none>   (unknown)
> >> - ---
> >> testing ext2 filesystem ...
> >> [000]. xattr related tests ...
> >> [101]. [102]. [103]* [104]* [106]* [108]. [109]*
> >> [112]. [113]. [114]. [115]. [116]. [117]. [118]. [119].
> >> [121]* [122]* [123]. [124]. [199].
> >>
> >> - ---
> >> testing ext3 filesystem ...
> >> [000]. xattr related tests ...
> >> [101]. [102]. [103]* [104]* [106]* [108]. [109]*
> >> [112]. [113]. [114]. [115]. [116]. [117]. [118]. [119].
> >> [121]* [122]* [123]. [124]. [199].
> >>
> >> Same result as you got, seems the testfs #1 and #2 shows no difference,
> >> but the exploit works on #1's setup, not on #2.
> >>
> >> # ./rootesc
> >> cd ..: Permission denied
> >> chmod: Operation not permitted
> >> cd ..: Permission denied
> >> chmod: Operation not permitted
> >> (alternating a few times)
> >> then the false:
> >> Exploit seems to work. =)
> >> (because it always shows this line, actually it failed, but nobody
> >> bothered to fix up the exploit bug)
> >>
> >> > Test #3
> >> > Using debian sarge componants with upstream util-vserver:
> >> > kernel-source: 2.4.27-10 (debian sarge)
> >> > util-vserver: 0.30-208+fix03 (upstream)
> >> > kernel-patch: 1.9.5.3 (debian sarge)
> >> >
> >> > Only test 106 fails... Not 104, 114, 122 or 124.
> >> >
> >> > Conclusion: either the fixes to testfs caused 104, 114, 122, 124 to go
> >> > away or you have a different kernel-source or kernel-patch applied,
> >> try
> >> > with testfs.sh-0.11 to see, or just try with a current sarge kernel
> >> and
> >> > patch since that is all that matters here.
> >>
> >> In your test #3, you used the 0.30-208+fix03 from upstream, and I am
> >> using the one from sid, let's see any difference:
> >> I upgrade the util-vserver from sid on sarge(libc6 libc6-dev locales are
> >> also to be upgraded). These are the messages I got:
> >> Setting up util-vserver (0.30.208-3) ...
> >> Installing new version of config file /etc/init.d/rebootmgr ...
> >> Installing new version of config file /etc/init.d/vprocunhide ...
> >> Installing new version of config file /etc/init.d/vservers-legacy ...
> >> /var/lib/vservers: Operation not permitted
> >>
> >> For the error message, I don't know what is wrong in postinst script,
> >> but after I looked at the script, I found:
> >> - ---
> >> # Remove older attr +t if present
> >> if [ "`lsattr -d /var/lib/vservers/|cut -c16`" = "t" ] ; then
> >>     chattr -t /var/lib/vservers
> >> fi
> >>
> >> # set chroot barrier
> >> setattr --barrier /var/lib/vservers || true
> >> - ---
> >> I think this is wrong, let me quote what Bertl explained to me:
> >> <quote>
> >> 19:53 < Bertl> (on 2.4 it is important that you verify the following)
> >> 19:54 < Bertl> the directory permissions _are_ 000, the barrier 'B' and
> >> iunlink'U' is reported, the 't' flag shows up
> >> 19:54 < Bertl> ('U' and 't' are connected on 2.4)
> >> </quote>
> >> I will file another bug to util-vserver later.
> >>
> >> Let me go back to do the test #3:
> >> kernel-source: 2.4.27-10 (debian sarge)
> >> util-vserver: 0.30-208-3 (debian sid)
> >> kernel-patch: 1.9.5.3 (debian sarge)
> >> # ./testfs.sh-0.11 -l -t -D /dev/loop0 -M /mnt
> >> Linux-VServer FS Test [V0.10] Copyright (C) 2005 H.Poetzl
> >> Linux 2.4.27-10vserver-confirm i686/0.30.208
> >> VCI:  <none>   (unknown)
> >> - ---
> >> testing ext2 filesystem ...
> >> [000]. xattr related tests ...
> >> [101]. [102]. [103]. [104]. [106]* [108]. [109].
> >> [112]. [113]. [114]. [115]. [116]. [117]. [118]. [119].
> >> [121]. [122]. [123]. [124]. [199].
> >>
> >> - ---
> >> testing ext3 filesystem ...
> >> [000]. xattr related tests ...
> >> [101]. [102]. [103]. [104]. [106]* [108]. [109].
> >> [112]. [113]. [114]. [115]. [116]. [117]. [118]. [119].
> >> [121]. [122]. [123]. [124]. [199].
> >>
> >> Same as yours, only test 106 fails. And the exploit works here still:
> >> # ./rootesc
> >> Exploit seems to work. =)
> >> # ls -lad /etc/vservers /var/lib/vservers/
> >> drwxr-xr-x  4 root root 4096 Sep 22 14:10 /etc/vservers
> >> d---------  8 root root 4096 Oct 13 15:37 /var/lib/vservers/
> >>
> >>
> >> > Test #4
> >> > Using all upstream componants:
> >> > kernel-source: 2.4.31 (upstream)
> >> > util-vserver: 0.30-208+fix03 (upstream)
> >> > kernel-patch: 1.2.10 (upstream)
> >> >
> >> > Only test 106 fails, same as the previous test, when we use the debian
> >> > sarge kernel-source and kernel-patch.
> >> >
> >> > Conclusion: Based on the results of this test, and the previous, it is
> >> > clear that the debian sarge kernel source and debian sarge kernel
> >> patch
> >> > don't make a difference here either, the problem has been isolated to
> >> > util-vserver 0.30-204-5sarge2 in sarge. If this is actually a problem,
> >> I
> >> > do not know, this definatetly needs to be determined. Additionally,
> >> test
> >> > 106 could be in error, this should also be checked.
> >>
> >> In my test, I am still using the util-vserver from sid:
> >> kernel-source: 2.4.31 (upstream)
> >> util-vserver: 0.30-208-3 (Debian sid)
> >> kernel-patch: 1.2.10 (upstream)
> >>
> >> ./testfs.sh-0.11 -l -t -D /dev/loop0 -M /mnt
> >> Linux-VServer FS Test [V0.10] Copyright (C) 2005 H.Poetzl
> >> Linux 2.4.31-vs1.2.10 i686/0.30.208
> >> VCI:  <none>   (unknown)
> >> - ---
> >> testing ext2 filesystem ...
> >> [000]. xattr related tests ...
> >> [101]. [102]. [103]. [104]. [106]* [108]. [109].
> >> [112]. [113]. [114]. [115]. [116]. [117]. [118]. [119].
> >> [121]. [122]. [123]. [124]. [199].
> >>
> >> - ---
> >> testing ext3 filesystem ...
> >> [000]. xattr related tests ...
> >> [101]. [102]. [103]. [104]. [106]* [108]. [109].
> >> [112]. [113]. [114]. [115]. [116]. [117]. [118]. [119].
> >> [121]. [122]. [123]. [124]. [199].
> >>
> >> Same as you got, only fails on 106.
> >> And exploit doesn't work:
> >> # ./rootesc
> >> cd ..: Permission denied
> >> chmod: Operation not permitted
> >> cd ..: Permission denied
> >> chmod: Operation not permitted
> >> (alternating a few times)
> >> then the false:
> >> Exploit seems to work. =)
> >>
> >> > The above tests are only done with ext2, I am not sure why you didn't
> >> do
> >> > the xfs, reiserfs and jfs tests, but there is no need, as I have done
> >> them:
> >> >
> >> > Conclusion: using *all* upstream pieces, the same failures occur when
> >> > using debian kernel source and kernel patch. This leads me to believe
> >> > that either the upstream kernel source is broken, the upstream linux
> >> > vserver patch is broken, or most likely the testfs is not working
> >> > properly for these tests.
> >>
> >> I do not know, the different I found is the exploit works only in
> >> 2.4.27-10 with kernel-patch-vserver 1.9.5.3 (debian sarge), but not with
> >> vanilla kernel with upstream patch.
> >>
> >> I didn't test reiserfs, xfs and jfs, cause I knew some futures only
> >> implemented on ext2/3(eg:disklimit), so I only focus my tests on ext2/3.
> >>
> >> Let me know if you need more tests on my side for investigate this
> >> problem.
> >>
> >> Thank you very much for investigating this issue.
> >>
> >> Best regards,
> >>
> >> - -Andrew
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1.4.2 (GNU/Linux)
> >>
> >> iD8DBQFDTj5HnQYz4bYlCYURAlo+AJ0TAmp0+59cHvSWE84dteBb3FMYQACfY3oB
> >> btznLu/i+MP6KlLdGCLzlxY=
> >> =SK9G
> >> -----END PGP SIGNATURE-----
> >>
> >>
> >
> > --
> >  --------------------- Ola Lundqvist ---------------------------
> > /  opal@debian.org                     Annebergsslingan 37      \
> > |  opal@lysator.liu.se                 654 65 KARLSTAD          |
> > |  +46 (0)54-10 14 30                  +46 (0)70-332 1551       |
> > |  http://www.opal.dhs.org             UIN/icq: 4912500         |
> > \  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
> >  ---------------------------------------------------------------
> >
> >
> >
> 
> 
> 

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Annebergsslingan 37      \
|  opal@lysator.liu.se                 654 65 KARLSTAD          |
|  +46 (0)54-10 14 30                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------



Merged 329087 329090. Request was from Ola Lundqvist <opal@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#329087; Package kernel-patch-vserver. Full text and rfc822 format available.

Acknowledgement sent to Micah Anderson <micah@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #49 received at 329087@bugs.debian.org (full text, mbox):

From: Micah Anderson <micah@debian.org>
To: 329087@bugs.debian.org, control@bugs.debian.org
Subject: Cause found, and fix
Date: Sun, 20 Nov 2005 16:06:20 -0500
[Message part 1 (text/plain, inline)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

tag 329087 +security
tag 329087 +patch

The upstream kernel patch maintainer looked at the Debian patch and
found that when the port was done, key pieces were not included that
would prevent such an escape. Namely the immutable unlink extended
filesystem attributes and the capability system that would enforce the
chroot barrier. This this is a Debian specific problem, limited to
the 2.4 kernel patch included with kernel-patch-vserver.

The attached patch resolves this issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDgOVM9n4qXRzy1ioRAs+GAJ9ec41DDqeIHh+DFD2iVLO8hnVqKgCgkJwl
fCVp+hwOQVpi6dA/5mae8DE=
=7D0W
-----END PGP SIGNATURE-----
[delta-2.4.27-9-vs1.2.10-fix01.diff (text/plain, inline)]
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/ext2/ialloc.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/ext2/ialloc.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/ext2/ialloc.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/ext2/ialloc.c	2005-11-11 04:51:07 +0100
@@ -390,9 +390,9 @@ repeat:
 	inode->i_mtime = inode->i_atime = inode->i_ctime = CURRENT_TIME;
 	inode->u.ext2_i.i_state = EXT2_STATE_NEW;
 	inode->u.ext2_i.i_flags = dir->u.ext2_i.i_flags &
-		~(EXT2_BTREE_FL|EXT2_IMMUTABLE_LINK_FL);
+		~(EXT2_BTREE_FL|EXT2_IUNLINK_FL);
 	if (S_ISLNK(mode))
-		inode->u.ext2_i.i_flags &= ~(EXT2_IMMUTABLE_FILE_FL|EXT2_APPEND_FL);
+		inode->u.ext2_i.i_flags &= ~(EXT2_IMMUTABLE_FL|EXT2_APPEND_FL);
 	inode->u.ext2_i.i_block_group = group;
 	ext2_set_inode_flags(inode);
 	insert_inode_hash(inode);
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/ext2/inode.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/ext2/inode.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/ext2/inode.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/ext2/inode.c	2005-11-11 04:51:07 +0100
@@ -892,7 +892,7 @@ do_indirects:
 
 void ext2_truncate (struct inode * inode)
 {
-	if (IS_APPEND(inode) || IS_IMMUTABLE_FILE(inode))
+	if (IS_APPEND(inode) || IS_IMMUTABLE(inode))
 		return;
 	ext2_truncate_nocheck(inode);
 }
@@ -901,15 +901,15 @@ void ext2_set_inode_flags(struct inode *
 {
 	unsigned int flags = inode->u.ext2_i.i_flags;
 
-	inode->i_flags &= ~(S_SYNC|S_APPEND|S_IMMUTABLE_FILE|S_IMMUTABLE_LINK|S_NOATIME);
+	inode->i_flags &= ~(S_SYNC|S_APPEND|S_IMMUTABLE|S_IUNLINK|S_NOATIME);
 	if (flags & EXT2_SYNC_FL)
 		inode->i_flags |= S_SYNC;
 	if (flags & EXT2_APPEND_FL)
 		inode->i_flags |= S_APPEND;
-	if (flags & EXT2_IMMUTABLE_FILE_FL)
-		inode->i_flags |= S_IMMUTABLE_FILE;
-	if (flags & EXT2_IMMUTABLE_LINK_FL)
-		inode->i_flags |= S_IMMUTABLE_LINK;
+	if (flags & EXT2_IMMUTABLE_FL)
+		inode->i_flags |= S_IMMUTABLE;
+	if (flags & EXT2_IUNLINK_FL)
+		inode->i_flags |= S_IUNLINK;
 	if (flags & EXT2_NOATIME_FL)
 		inode->i_flags |= S_NOATIME;
 }
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/ext2/ioctl.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/ext2/ioctl.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/ext2/ioctl.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/ext2/ioctl.c	2005-11-11 04:51:07 +0100
@@ -44,9 +44,9 @@ int ext2_ioctl (struct inode * inode, st
 		 *
 		 * This test looks nicer. Thanks to Pauline Middelink
 		 */
-		if ((oldflags & EXT2_IMMUTABLE_FILE_FL) ||
+		if ((oldflags & EXT2_IMMUTABLE_FL) ||
 			((flags ^ oldflags) & (EXT2_APPEND_FL |
-			EXT2_IMMUTABLE_FILE_FL | EXT2_IMMUTABLE_LINK_FL))) {
+			EXT2_IMMUTABLE_FL | EXT2_IUNLINK_FL))) {
 			if (!capable(CAP_LINUX_IMMUTABLE))
 				return -EPERM;
 		}
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/ext3/ialloc.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/ext3/ialloc.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/ext3/ialloc.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/ext3/ialloc.c	2005-11-11 04:51:07 +0100
@@ -486,9 +486,9 @@ repeat:
 	inode->i_blocks = 0;
 	inode->i_mtime = inode->i_atime = inode->i_ctime = CURRENT_TIME;
 	inode->u.ext3_i.i_flags = dir->u.ext3_i.i_flags &
-		~(EXT3_INDEX_FL|EXT3_IMMUTABLE_LINK_FL);
+		~(EXT3_INDEX_FL|EXT3_IUNLINK_FL);
 	if (S_ISLNK(mode))
-		inode->u.ext3_i.i_flags &= ~(EXT3_IMMUTABLE_FILE_FL|EXT3_APPEND_FL);
+		inode->u.ext3_i.i_flags &= ~(EXT3_IMMUTABLE_FL|EXT3_APPEND_FL);
 #ifdef EXT3_FRAGMENTS
 	inode->u.ext3_i.i_faddr = 0;
 	inode->u.ext3_i.i_frag_no = 0;
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/ext3/inode.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/ext3/inode.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/ext3/inode.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/ext3/inode.c	2005-11-11 04:51:07 +0100
@@ -2017,7 +2017,7 @@ out_stop:
 
 void ext3_truncate(struct inode * inode)
 {
-	if (IS_APPEND(inode) || IS_IMMUTABLE_FILE(inode))
+	if (IS_APPEND(inode) || IS_IMMUTABLE(inode))
 		return;
 	ext3_truncate_nocheck(inode);
 }
@@ -2091,15 +2091,15 @@ void ext3_set_inode_flags(struct inode *
 {
 	unsigned int flags = inode->u.ext3_i.i_flags;
 
-	inode->i_flags &= ~(S_SYNC|S_APPEND|S_IMMUTABLE_FILE|S_IMMUTABLE_LINK|S_NOATIME);
+	inode->i_flags &= ~(S_SYNC|S_APPEND|S_IMMUTABLE|S_IUNLINK|S_NOATIME);
 	if (flags & EXT3_SYNC_FL)
 		inode->i_flags |= S_SYNC;
 	if (flags & EXT3_APPEND_FL)
 		inode->i_flags |= S_APPEND;
-	if (flags & EXT3_IMMUTABLE_FILE_FL)
-		inode->i_flags |= S_IMMUTABLE_FILE;
-	if (flags & EXT3_IMMUTABLE_LINK_FL)
-		inode->i_flags |= S_IMMUTABLE_LINK;
+	if (flags & EXT3_IMMUTABLE_FL)
+		inode->i_flags |= S_IMMUTABLE;
+	if (flags & EXT3_IUNLINK_FL)
+		inode->i_flags |= S_IUNLINK;
 	if (flags & EXT3_NOATIME_FL)
 		inode->i_flags |= S_NOATIME;
 }
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/ext3/ioctl.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/ext3/ioctl.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/ext3/ioctl.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/ext3/ioctl.c	2005-11-11 04:51:07 +0100
@@ -53,9 +53,9 @@ int ext3_ioctl (struct inode * inode, st
 		 *
 		 * This test looks nicer. Thanks to Pauline Middelink
 		 */
-		if ((oldflags & EXT3_IMMUTABLE_FILE_FL) ||
+		if ((oldflags & EXT3_IMMUTABLE_FL) ||
 			((flags ^ oldflags) & (EXT3_APPEND_FL |
-			EXT3_IMMUTABLE_FILE_FL | EXT3_IMMUTABLE_LINK_FL))) {
+			EXT3_IMMUTABLE_FL | EXT3_IUNLINK_FL))) {
 			if (!capable(CAP_LINUX_IMMUTABLE))
 				return -EPERM;
 		}
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/fat/file.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/fat/file.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/fat/file.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/fat/file.c	2005-11-11 04:51:07 +0100
@@ -119,7 +119,7 @@ void fat_truncate(struct inode *inode)
 	/* Why no return value?  Surely the disk could fail... */
 	if (IS_RDONLY (inode))
 		return /* -EPERM */;
-	if (IS_IMMUTABLE_FILE(inode))
+	if (IS_IMMUTABLE(inode))
 		return /* -EPERM */;
 	cluster = 1 << sbi->cluster_bits;
 	/* 
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/fat/inode.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/fat/inode.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/fat/inode.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/fat/inode.c	2005-11-11 04:51:07 +0100
@@ -960,7 +960,7 @@ static void fat_fill_inode(struct inode 
 	}
 	if(de->attr & ATTR_SYS)
 		if (sbi->options.sys_immutable)
-			inode->i_flags |= S_IMMUTABLE_FILE;
+			inode->i_flags |= S_IMMUTABLE;
 	MSDOS_I(inode)->i_attrs = de->attr & ATTR_UNUSED;
 	/* this is as close to the truth as we can get ... */
 	inode->i_blksize = 1 << sbi->cluster_bits;
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/hpfs/file.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/hpfs/file.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/hpfs/file.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/hpfs/file.c	2005-11-11 04:51:07 +0100
@@ -60,7 +60,7 @@ secno hpfs_bmap(struct inode *inode, uns
 
 void hpfs_truncate(struct inode *i)
 {
-	if (IS_IMMUTABLE_FILE(i)) return /*-EPERM*/;
+	if (IS_IMMUTABLE(i)) return /*-EPERM*/;
 	i->i_hpfs_n_secs = 0;
 	i->i_blocks = 1 + ((i->i_size + 511) >> 9);
 	i->u.hpfs_i.mmu_private = i->i_size;
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/intermezzo/vfs.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/intermezzo/vfs.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/intermezzo/vfs.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/intermezzo/vfs.c	2005-11-11 04:51:07 +0100
@@ -139,8 +139,8 @@ static inline int may_delete(struct inod
                 return error;
         if (IS_APPEND(dir))
                 return -EPERM;
-        if (check_sticky(dir, victim->d_inode)||IS_APPEND(victim->d_inode)||
-	    IS_IMMUTABLE_LINK(victim->d_inode))
+	if (check_sticky(dir, victim->d_inode) ||
+	    IS_APPEND(victim->d_inode) || IS_IXORUNLINK(victim->d_inode))
                 return -EPERM;
         if (isdir) {
                 if (!S_ISDIR(victim->d_inode->i_mode))
@@ -262,7 +262,7 @@ int presto_settime(struct presto_file_se
                         return -EROFS;
                 }
 
-		if (IS_IMMUTABLE_FILE(inode) || IS_APPEND(inode)) {
+		if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) {
                         EXIT;
                         return -EPERM;
                 }
@@ -377,7 +377,7 @@ int presto_do_setattr(struct presto_file
                 return -EROFS;
         }
 
-	if (IS_IMMUTABLE_FILE(inode) || IS_APPEND(inode)) {
+	if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) {
                 EXIT;
                 return -EPERM;
         }
@@ -772,7 +772,7 @@ int presto_do_link(struct presto_file_se
          * A link to an append-only or immutable file cannot be created.
          */
         error = -EPERM;
-	if (IS_APPEND(inode) || IS_IMMUTABLE_LINK(inode)) {
+	if (IS_APPEND(inode) || IS_IXORUNLINK(inode)) {
                 EXIT;
                 goto exit_lock;
         }
@@ -2362,7 +2362,7 @@ int presto_do_set_ext_attr(struct presto
                 return -EROFS;
         }
 
-	if (IS_IMMUTABLE_FILE(inode) || IS_APPEND(inode)) {
+	if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) {
                 EXIT;
                 return -EPERM;
         }
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/jfs/xattr.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/jfs/xattr.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/jfs/xattr.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/jfs/xattr.c	2005-11-11 04:51:07 +0100
@@ -654,7 +654,7 @@ static int can_set_xattr(struct inode *i
 	if (IS_RDONLY(inode))
 		return -EROFS;
 
-	if (IS_IMMUTABLE_FILE(inode) || IS_APPEND(inode) || S_ISLNK(inode->i_mode))
+	if (IS_IMMUTABLE(inode) || IS_APPEND(inode) || S_ISLNK(inode->i_mode))
 		return -EPERM;
 
 	if((strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) != 0) &&
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/namei.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/namei.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/namei.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/namei.c	2005-11-11 04:51:07 +0100
@@ -153,9 +153,6 @@ int vfs_permission(struct inode * inode,
 {
 	umode_t			mode = inode->i_mode;
 
-	if (IS_BARRIER(inode) && !vx_check(0, VX_ADMIN))
-		return -EACCES;
-
 	if (mask & MAY_WRITE) {
 		/*
 		 * Nobody gets write access to a read-only fs.
@@ -167,7 +164,7 @@ int vfs_permission(struct inode * inode,
 		/*
 		 * Nobody gets write access to an immutable file.
 		 */
-		if (IS_IMMUTABLE_FILE(inode))
+		if (IS_IMMUTABLE(inode))
 			return -EACCES;
 	}
 
@@ -202,6 +199,9 @@ int vfs_permission(struct inode * inode,
 
 int permission(struct inode * inode,int mask)
 {
+	if (IS_BARRIER(inode) && !vx_check(0, VX_ADMIN))
+		return -EACCES;
+
 	if (inode->i_op && inode->i_op->permission) {
 		int retval;
 		lock_kernel();
@@ -908,7 +908,8 @@ static inline int may_delete(struct inod
 		return error;
 	if (IS_APPEND(dir))
 		return -EPERM;
-	if (check_sticky(dir, victim->d_inode)||IS_APPEND(victim->d_inode)||IS_IMMUTABLE_LINK(victim->d_inode))
+	if (check_sticky(dir, victim->d_inode) ||
+	    IS_APPEND(victim->d_inode) || IS_IXORUNLINK(victim->d_inode))
 		return -EPERM;
 	if (isdir) {
 		if (!S_ISDIR(victim->d_inode->i_mode))
@@ -1624,7 +1625,7 @@ int vfs_link(struct dentry *old_dentry, 
 	 * A link to an append-only or immutable file cannot be created.
 	 */
 	error = -EPERM;
-	if (IS_APPEND(inode) || IS_IMMUTABLE_LINK(inode))
+	if (IS_APPEND(inode) || IS_IXORUNLINK(inode))
 		goto exit_lock;
 	if (!dir->i_op || !dir->i_op->link)
 		goto exit_lock;
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/nfsd/vfs.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/nfsd/vfs.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/nfsd/vfs.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/nfsd/vfs.c	2005-11-11 04:51:07 +0100
@@ -1491,8 +1491,8 @@ nfsd_permission(struct svc_export *exp, 
 		(acc & MAY_LOCK)?	" lock"  : "",
 		(acc & MAY_OWNER_OVERRIDE)? " owneroverride" : "",
 		inode->i_mode,
-		IS_IMMUTABLE_FILE(inode)? " immut(F)" : "",
-		IS_IMMUTABLE_LINK(inode)? " immut(L)" : "",
+		IS_IMMUTABLE(inode)?	" immut" : "",
+		IS_IUNLINK(inode)?	" iunlink" : "",
 		IS_APPEND(inode)?	" append" : "",
 		IS_RDONLY(inode)?	" ro" : "");
 	dprintk("      owner %d/%d user %d/%d\n",
@@ -1511,7 +1511,7 @@ nfsd_permission(struct svc_export *exp, 
 	 && (acc & (MAY_WRITE | MAY_SATTR | MAY_TRUNC))) {
 		if (EX_RDONLY(exp) || IS_RDONLY(inode))
 			return nfserr_rofs;
-		if (/* (acc & MAY_WRITE) && */ IS_IMMUTABLE_FILE(inode))
+		if (/* (acc & MAY_WRITE) && */ IS_IMMUTABLE(inode))
 			return nfserr_perm;
 	}
 	if ((acc & MAY_TRUNC) && IS_APPEND(inode))
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/open.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/open.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/open.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/open.c	2005-11-11 04:51:07 +0100
@@ -148,7 +148,7 @@ static inline long do_sys_truncate(const
 		goto dput_and_out;
 
 	error = -EPERM;
-	if (IS_IMMUTABLE_FILE(inode) || IS_APPEND(inode))
+	if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
 		goto dput_and_out;
 
 	/*
@@ -275,7 +275,7 @@ asmlinkage long sys_utime(char * filenam
 	newattrs.ia_valid = ATTR_CTIME | ATTR_MTIME | ATTR_ATIME;
 	if (times) {
 		error = -EPERM;
-		if (IS_APPEND(inode) || IS_IMMUTABLE_FILE(inode))
+		if (IS_APPEND(inode) || IS_IMMUTABLE(inode))
 			goto dput_and_out;
 		error = get_user(newattrs.ia_atime, &times->actime);
 		if (!error) 
@@ -286,7 +286,7 @@ asmlinkage long sys_utime(char * filenam
 		newattrs.ia_valid |= ATTR_ATIME_SET | ATTR_MTIME_SET;
 	} else {
 		error = -EACCES;
-		if (IS_IMMUTABLE_FILE(inode))
+		if (IS_IMMUTABLE(inode))
 			goto dput_and_out;
 		if (current->fsuid != inode->i_uid &&
 		    (error = permission(inode,MAY_WRITE)) != 0)
@@ -327,7 +327,7 @@ asmlinkage long sys_utimes(char * filena
 	if (utimes) {
 		struct timeval times[2];
 		error = -EPERM;
-		if (IS_APPEND(inode) || IS_IMMUTABLE_FILE(inode))
+		if (IS_APPEND(inode) || IS_IMMUTABLE(inode))
 			goto dput_and_out;
 		error = -EFAULT;
 		if (copy_from_user(&times, utimes, sizeof(times)))
@@ -337,7 +337,7 @@ asmlinkage long sys_utimes(char * filena
 		newattrs.ia_valid |= ATTR_ATIME_SET | ATTR_MTIME_SET;
 	} else {
 		error = -EACCES;
-		if (IS_IMMUTABLE_FILE(inode))
+		if (IS_IMMUTABLE(inode))
 			goto dput_and_out;
 
 		if (current->fsuid != inode->i_uid &&
@@ -493,10 +493,10 @@ asmlinkage long sys_fchmod(unsigned int 
 	if (IS_RDONLY(inode))
 		goto out_putf;
 	err = -EPERM;
-	if (IS_IMMUTABLE_FILE(inode) || IS_APPEND(inode))
+	if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
 		goto out_putf;
 	/* not required, but just to make sure ;) */
-	if (IS_BARRIER(inode))
+	if (IS_BARRIER(inode) && !vx_check(0, VX_ADMIN))
 		goto out_putf;
 	if (mode == (mode_t) -1)
 		mode = inode->i_mode;
@@ -527,10 +527,10 @@ asmlinkage long sys_chmod(const char * f
 		goto dput_and_out;
 
 	error = -EPERM;
-	if (IS_IMMUTABLE_FILE(inode) || IS_APPEND(inode))
+	if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
 		goto dput_and_out;
 	/* not required, but just to make sure ;) */
-	if (IS_BARRIER(inode))
+	if (IS_BARRIER(inode) && !vx_check(0, VX_ADMIN))
 		goto dput_and_out;
 
 	if (mode == (mode_t) -1)
@@ -560,7 +560,7 @@ static int chown_common(struct dentry * 
 	if (IS_RDONLY(inode))
 		goto out;
 	error = -EPERM;
-	if (IS_IMMUTABLE_FILE(inode) || IS_APPEND(inode))
+	if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
 		goto out;
 	if (user == (uid_t) -1)
 		user = inode->i_uid;
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/proc/base.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/proc/base.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/proc/base.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/proc/base.c	2005-11-11 04:51:07 +0100
@@ -1094,7 +1094,7 @@ struct dentry *proc_pid_lookup(struct in
 	inode->i_op = &proc_base_inode_operations;
 	inode->i_fop = &proc_base_operations;
 	inode->i_nlink = 3;
-	inode->i_flags|=S_IMMUTABLE_FILE;
+	inode->i_flags|=S_IMMUTABLE;
 
 	dentry->d_op = &pid_base_dentry_operations;
 	d_add(dentry, inode);
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/reiserfs/inode.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/reiserfs/inode.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/reiserfs/inode.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/reiserfs/inode.c	2005-11-11 04:51:07 +0100
@@ -1574,7 +1574,7 @@ int reiserfs_new_inode (struct reiserfs_
 
     /* symlink cannot be immutable or append only, right? */
     if( S_ISLNK( inode -> i_mode ) )
-	    inode -> i_flags &= ~ ( S_IMMUTABLE_FILE | S_APPEND );
+	    inode -> i_flags &= ~ ( S_IMMUTABLE | S_APPEND );
 
     /* item head of new item */
     ih.ih_key.k_dir_id = INODE_PKEY (dir)->k_objectid;
@@ -2177,14 +2177,14 @@ void sd_attrs_to_i_attrs( __u16 sd_attrs
 			inode -> i_flags |= S_SYNC;
 		else
 			inode -> i_flags &= ~S_SYNC;
-		if( sd_attrs & REISERFS_IMMUTABLE_FILE_FL )
-			inode -> i_flags |= S_IMMUTABLE_FILE;
+		if( sd_attrs & REISERFS_IMMUTABLE_FL )
+			inode -> i_flags |= S_IMMUTABLE;
 		else
-			inode -> i_flags &= ~S_IMMUTABLE_FILE;
-		if( sd_attrs & REISERFS_IMMUTABLE_LINK_FL )
-			inode -> i_flags |= S_IMMUTABLE_LINK;
+			inode -> i_flags &= ~S_IMMUTABLE;
+		if( sd_attrs & REISERFS_IUNLINK_FL )
+			inode -> i_flags |= S_IUNLINK;
 		else
-			inode -> i_flags &= ~S_IMMUTABLE_LINK;
+			inode -> i_flags &= ~S_IUNLINK;
 		if( sd_attrs & REISERFS_APPEND_FL )
 			inode -> i_flags |= S_APPEND;
 		else
@@ -2203,14 +2203,14 @@ void sd_attrs_to_i_attrs( __u16 sd_attrs
 void i_attrs_to_sd_attrs( struct inode *inode, __u16 *sd_attrs )
 {
 	if( reiserfs_attrs( inode -> i_sb ) ) {
-		if( inode -> i_flags & S_IMMUTABLE_FILE )
-			*sd_attrs |= REISERFS_IMMUTABLE_FILE_FL;
+		if( inode -> i_flags & S_IMMUTABLE )
+			*sd_attrs |= REISERFS_IMMUTABLE_FL;
 		else
-			*sd_attrs &= ~REISERFS_IMMUTABLE_FILE_FL;
-		if( inode -> i_flags & S_IMMUTABLE_LINK )
-			*sd_attrs |= REISERFS_IMMUTABLE_LINK_FL;
+			*sd_attrs &= ~REISERFS_IMMUTABLE_FL;
+		if( inode -> i_flags & S_IUNLINK )
+			*sd_attrs |= REISERFS_IUNLINK_FL;
 		else
-			*sd_attrs &= ~REISERFS_IMMUTABLE_LINK_FL;
+			*sd_attrs &= ~REISERFS_IUNLINK_FL;
 		if( inode -> i_flags & S_SYNC )
 			*sd_attrs |= REISERFS_SYNC_FL;
 		else
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/reiserfs/ioctl.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/reiserfs/ioctl.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/reiserfs/ioctl.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/reiserfs/ioctl.c	2005-11-11 04:51:07 +0100
@@ -42,6 +42,8 @@ int reiserfs_ioctl (struct inode * inode
 		i_attrs_to_sd_attrs( inode, ( __u16 * ) &flags );
 		return put_user(flags, (int *) arg);
 	case REISERFS_IOC_SETFLAGS: {
+		unsigned int oldflags;
+
 		if (IS_RDONLY(inode))
 			return -EROFS;
 
@@ -51,12 +53,14 @@ int reiserfs_ioctl (struct inode * inode
 		if (get_user(flags, (int *) arg))
 			return -EFAULT;
 
-		if ( (inode->u.reiserfs_i.i_attrs & REISERFS_IMMUTABLE_FILE_FL) ||
-		     ( ( ( flags ^ inode->u.reiserfs_i.i_attrs) &
-		     ( REISERFS_IMMUTABLE_FILE_FL |
-		       REISERFS_IMMUTABLE_LINK_FL | REISERFS_APPEND_FL ) ) &&
-		     !capable( CAP_LINUX_IMMUTABLE ) ) )
+		oldflags = inode->u.reiserfs_i.i_attrs;
+
+		if ((oldflags & REISERFS_IMMUTABLE_FL) ||
+		    ((flags ^ oldflags) & (REISERFS_APPEND_FL |
+		    REISERFS_IMMUTABLE_FL | REISERFS_IUNLINK_FL))) {
+			if (!capable(CAP_LINUX_IMMUTABLE))
 			return -EPERM;
+		}
 			
 		if( ( flags & REISERFS_NOTAIL_FL ) &&
 		    S_ISREG( inode -> i_mode ) ) {
@@ -66,6 +70,9 @@ int reiserfs_ioctl (struct inode * inode
 				if( result )
 					return result;
 		}
+
+		flags = flags & REISERFS_FL_USER_MODIFIABLE;
+		flags |= oldflags & ~REISERFS_FL_USER_MODIFIABLE;
 		sd_attrs_to_i_attrs( flags, inode );
 		inode -> u.reiserfs_i.i_attrs = flags;
 		inode->i_ctime = CURRENT_TIME;
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/udf/inode.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/udf/inode.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/udf/inode.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/udf/inode.c	2005-11-11 04:51:07 +0100
@@ -860,7 +860,7 @@ void udf_truncate(struct inode * inode)
 	if (!(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode) ||
 			S_ISLNK(inode->i_mode)))
 		return;
-	if (IS_APPEND(inode) || IS_IMMUTABLE_FILE(inode))
+	if (IS_APPEND(inode) || IS_IMMUTABLE(inode))
 		return;
 
 	if (UDF_I_ALLOCTYPE(inode) == ICBTAG_FLAG_AD_IN_ICB)
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/ufs/truncate.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/ufs/truncate.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/ufs/truncate.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/ufs/truncate.c	2005-11-11 04:51:07 +0100
@@ -434,7 +434,7 @@ void ufs_truncate (struct inode * inode)
 
 	if (!(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode)))
 		return;
-	if (IS_APPEND(inode) || IS_IMMUTABLE_FILE(inode))
+	if (IS_APPEND(inode) || IS_IMMUTABLE(inode))
 		return;
 	while (1) {
 		retry = ufs_trunc_direct(inode);
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/xfs/linux-2.4/xfs_ioctl.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/xfs/linux-2.4/xfs_ioctl.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/xfs/linux-2.4/xfs_ioctl.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/xfs/linux-2.4/xfs_ioctl.c	2005-11-11 04:51:07 +0100
@@ -339,7 +339,7 @@ xfs_open_by_handle(
 		return -XFS_ERROR(EPERM);
 	}
 
-	if ((permflag & FMODE_WRITE) && IS_IMMUTABLE_FILE(inode)) {
+	if ((permflag & FMODE_WRITE) && IS_IMMUTABLE(inode)) {
 		iput(inode);
 		return -XFS_ERROR(EACCES);
 	}
@@ -445,7 +445,7 @@ xfs_fssetdm_by_handle(
 	if (error)
 		return -error;
 
-	if (IS_IMMUTABLE_FILE(inode) || IS_APPEND(inode)) {
+	if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) {
 		VN_RELE(vp);
 		return -XFS_ERROR(EPERM);
 	}
@@ -540,7 +540,7 @@ xfs_attrmulti_by_handle(
 					NULL, ops[i].am_error);
 			break;
 		case ATTR_OP_SET:
-			if (IS_IMMUTABLE_FILE(inode) || IS_APPEND(inode)) {
+			if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) {
 				ops[i].am_error = EPERM;
 				break;
 			}
@@ -549,7 +549,7 @@ xfs_attrmulti_by_handle(
 					NULL, ops[i].am_error);
 			break;
 		case ATTR_OP_REMOVE:
-			if (IS_IMMUTABLE_FILE(inode) || IS_APPEND(inode)) {
+			if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) {
 				ops[i].am_error = EPERM;
 				break;
 			}
@@ -892,7 +892,7 @@ xfs_ioc_space(
 	int			attr_flags = 0;
 	int			error;
 
-	if (vp->v_inode.i_flags & (S_IMMUTABLE_FILE|S_APPEND))
+	if (vp->v_inode.i_flags & (S_IMMUTABLE|S_APPEND))
 		return -XFS_ERROR(EPERM);
 
 	if (!(filp->f_flags & FMODE_WRITE))
@@ -1068,6 +1068,8 @@ xfs_di2lxflags(
 
 	if (di_flags & XFS_DIFLAG_IMMUTABLE)
 		flags |= LINUX_XFLAG_IMMUTABLE;
+	if (di_flags & XFS_DIFLAG_IUNLINK)
+		flags |= LINUX_XFLAG_IUNLINK;
 	if (di_flags & XFS_DIFLAG_APPEND)
 		flags |= LINUX_XFLAG_APPEND;
 	if (di_flags & XFS_DIFLAG_SYNC)
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/xfs/linux-2.4/xfs_super.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/xfs/linux-2.4/xfs_super.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/xfs/linux-2.4/xfs_super.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/xfs/linux-2.4/xfs_super.c	2005-11-11 04:51:07 +0100
@@ -176,13 +176,13 @@ xfs_revalidate_inode(
 	inode->i_mtime	= ip->i_d.di_mtime.t_sec;
 	inode->i_ctime	= ip->i_d.di_ctime.t_sec;
 	if (ip->i_d.di_flags & XFS_DIFLAG_IMMUTABLE)
-		inode->i_flags |= S_IMMUTABLE_FILE;
+		inode->i_flags |= S_IMMUTABLE;
 	else
-		inode->i_flags &= ~S_IMMUTABLE_FILE;
+		inode->i_flags &= ~S_IMMUTABLE;
 	if (ip->i_d.di_flags & XFS_DIFLAG_IUNLINK)
-		inode->i_flags |= S_IMMUTABLE_LINK;
+		inode->i_flags |= S_IUNLINK;
 	else
-		inode->i_flags &= ~S_IMMUTABLE_LINK;
+		inode->i_flags &= ~S_IUNLINK;
 	if (ip->i_d.di_flags & XFS_DIFLAG_APPEND)
 		inode->i_flags |= S_APPEND;
 	else
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/xfs/linux-2.4/xfs_vnode.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/xfs/linux-2.4/xfs_vnode.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/xfs/linux-2.4/xfs_vnode.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/xfs/linux-2.4/xfs_vnode.c	2005-11-11 04:51:07 +0100
@@ -219,13 +219,13 @@ vn_revalidate_core(
 	inode->i_ctime	    = vap->va_ctime.tv_sec;
 	inode->i_atime	    = vap->va_atime.tv_sec;
 	if (vap->va_xflags & XFS_XFLAG_IMMUTABLE)
-			inode->i_flags |= S_IMMUTABLE_FILE;
+		inode->i_flags |= S_IMMUTABLE;
 	else
-			inode->i_flags &= ~S_IMMUTABLE_FILE;
+		inode->i_flags &= ~S_IMMUTABLE;
 		if (vap->va_xflags & XFS_XFLAG_IUNLINK)
-			inode->i_flags |= S_IMMUTABLE_LINK;
+		inode->i_flags |= S_IUNLINK;
 	else
-			inode->i_flags &= ~S_IMMUTABLE_LINK;
+		inode->i_flags &= ~S_IUNLINK;
 	if (vap->va_xflags & XFS_XFLAG_APPEND)
 		inode->i_flags |= S_APPEND;
 	else
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/xfs/xfs_acl.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/xfs/xfs_acl.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/xfs/xfs_acl.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/xfs/xfs_acl.c	2005-11-11 04:51:07 +0100
@@ -387,7 +387,7 @@ xfs_acl_allow_set(
 	vattr_t		va;
 	int		error;
 
-	if (vp->v_inode.i_flags & (S_IMMUTABLE_FILE|S_APPEND))
+	if (vp->v_inode.i_flags & (S_IMMUTABLE|S_APPEND))
 		return EPERM;
 	if (kind == _ACL_TYPE_DEFAULT && vp->v_type != VDIR)
 		return ENOTDIR;
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/xfs/xfs_attr.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/xfs/xfs_attr.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/xfs/xfs_attr.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/xfs/xfs_attr.c	2005-11-11 04:51:07 +0100
@@ -2548,7 +2548,7 @@ attr_user_capable(
 {
 	struct inode	*inode = LINVFS_GET_IP(vp);
 
-	if (IS_IMMUTABLE_FILE(inode) || IS_APPEND(inode))
+	if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
 		return -EPERM;
 	if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode) &&
 	    !capable(CAP_SYS_ADMIN))
@@ -2566,7 +2566,7 @@ attr_trusted_capable(
 {
 	struct inode	*inode = LINVFS_GET_IP(vp);
 
-	if (IS_IMMUTABLE_FILE(inode) || IS_APPEND(inode))
+	if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
 		return -EPERM;
 	if (!capable(CAP_SYS_ADMIN))
 		return -EPERM;
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/fs/xfs/xfs_inode.c linux-2.4.27-9-vs1.2.10.micah-fix01/fs/xfs/xfs_inode.c
--- linux-2.4.27-9-vs1.2.10.micah/fs/xfs/xfs_inode.c	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/fs/xfs/xfs_inode.c	2005-11-11 04:51:07 +0100
@@ -869,6 +869,8 @@ xfs_dic2xflags(
 		flags |= XFS_XFLAG_PREALLOC;
 	if (di_flags & XFS_DIFLAG_IMMUTABLE)
 		flags |= XFS_XFLAG_IMMUTABLE;
+	if (di_flags & XFS_DIFLAG_IUNLINK)
+		flags |= XFS_XFLAG_IUNLINK;
 	if (di_flags & XFS_DIFLAG_APPEND)
 		flags |= XFS_XFLAG_APPEND;
 	if (di_flags & XFS_DIFLAG_SYNC)
@@ -3702,7 +3704,7 @@ xfs_iaccess(
 		    (S_ISREG(imode) || S_ISDIR(imode) || S_ISLNK(imode)))
 			return XFS_ERROR(EROFS);
 
-		if (IS_IMMUTABLE_FILE(inode))
+		if (IS_IMMUTABLE(inode))
 			return XFS_ERROR(EACCES);
 	}
 
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/include/linux/capability.h linux-2.4.27-9-vs1.2.10.micah-fix01/include/linux/capability.h
--- linux-2.4.27-9-vs1.2.10.micah/include/linux/capability.h	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/include/linux/capability.h	2005-11-11 04:52:45 +0100
@@ -130,7 +130,7 @@ typedef __u32 kernel_cap_t;
 
 #define CAP_SETPCAP          8
 
-/* Allow modification of S_IMMUTABLE_* and S_APPEND file
+/* Allow modification of S_IUNLINK_* and S_APPEND file
    attributes */
 
 #define CAP_LINUX_IMMUTABLE  9
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/include/linux/ext2_fs.h linux-2.4.27-9-vs1.2.10.micah-fix01/include/linux/ext2_fs.h
--- linux-2.4.27-9-vs1.2.10.micah/include/linux/ext2_fs.h	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/include/linux/ext2_fs.h	2005-11-11 04:54:27 +0100
@@ -162,7 +162,7 @@ struct ext2_group_desc
 #define	EXT2_UNRM_FL			0x00000002 /* Undelete */
 #define	EXT2_COMPR_FL			0x00000004 /* Compress file */
 #define EXT2_SYNC_FL			0x00000008 /* Synchronous updates */
-#define EXT2_IMMUTABLE_FILE_FL		0x00000010 /* Immutable file */
+#define EXT2_IMMUTABLE_FL		0x00000010 /* Immutable file */
 #define EXT2_APPEND_FL			0x00000020 /* writes to file may only append */
 #define EXT2_NODUMP_FL			0x00000040 /* do not dump file */
 #define EXT2_NOATIME_FL			0x00000080 /* do not update atime */
@@ -173,7 +173,7 @@ struct ext2_group_desc
 #define EXT2_ECOMPR_FL			0x00000800 /* Compression error */
 /* End compression flags --- maybe not all used */	
 #define EXT2_BTREE_FL			0x00001000 /* btree format dir */
-#define EXT2_IMMUTABLE_LINK_FL		0x00008000 /* Immutable link */
+#define EXT2_IUNLINK_FL			0x00008000 /* Immutable unlink */
 #define EXT2_RESERVED_FL		0x80000000 /* reserved for ext2 lib */
 
 #define EXT2_FL_USER_VISIBLE		0x00009FFF /* User visible flags */
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/include/linux/ext3_fs.h linux-2.4.27-9-vs1.2.10.micah-fix01/include/linux/ext3_fs.h
--- linux-2.4.27-9-vs1.2.10.micah/include/linux/ext3_fs.h	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/include/linux/ext3_fs.h	2005-11-11 04:54:36 +0100
@@ -165,7 +165,7 @@ struct ext3_group_desc
 #define	EXT3_UNRM_FL			0x00000002 /* Undelete */
 #define	EXT3_COMPR_FL			0x00000004 /* Compress file */
 #define EXT3_SYNC_FL			0x00000008 /* Synchronous updates */
-#define EXT3_IMMUTABLE_FILE_FL		0x00000010 /* Immutable file */
+#define EXT3_IMMUTABLE_FL		0x00000010 /* Immutable file */
 #define EXT3_APPEND_FL			0x00000020 /* writes to file may only append */
 #define EXT3_NODUMP_FL			0x00000040 /* do not dump file */
 #define EXT3_NOATIME_FL			0x00000080 /* do not update atime */
@@ -178,7 +178,7 @@ struct ext3_group_desc
 #define EXT3_INDEX_FL			0x00001000 /* hash-indexed directory */
 #define EXT3_IMAGIC_FL			0x00002000 /* AFS directory */
 #define EXT3_JOURNAL_DATA_FL		0x00004000 /* file data should be journaled */
-#define EXT3_IMMUTABLE_LINK_FL		0x00008000 /* Immutable link */
+#define EXT3_IUNLINK_FL			0x00008000 /* Immutable unlink */
 #define EXT3_RESERVED_FL		0x80000000 /* reserved for ext3 lib */
 
 #define EXT3_FL_USER_VISIBLE		0x0000DFFF /* User visible flags */
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/include/linux/fs.h linux-2.4.27-9-vs1.2.10.micah-fix01/include/linux/fs.h
--- linux-2.4.27-9-vs1.2.10.micah/include/linux/fs.h	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/include/linux/fs.h	2005-11-11 04:52:45 +0100
@@ -133,10 +133,10 @@ extern int leases_enable, dir_notify_ena
 #define S_NOATIME	2	/* Do not update access times */
 #define S_QUOTA		4	/* Quota initialized for file */
 #define S_APPEND	8	/* Append-only file */
-#define S_IMMUTABLE_FILE	16	/* Immutable file */
+#define S_IMMUTABLE	16	/* Immutable file */
 #define S_DEAD		32	/* removed, but still open directory */
 #define S_NOQUOTA	64	/* Inode is not counted to quota */
-#define S_IMMUTABLE_LINK	128	/* Immutable links */
+#define S_IUNLINK	128	/* Immutable unlink */
 
 /*
  * Note that nosuid etc flags are inode-specific: setting some file-system
@@ -160,16 +160,16 @@ extern int leases_enable, dir_notify_ena
 #define IS_QUOTAINIT(inode)	((inode)->i_flags & S_QUOTA)
 #define IS_NOQUOTA(inode)	((inode)->i_flags & S_NOQUOTA)
 #define IS_APPEND(inode)	((inode)->i_flags & S_APPEND)
-#define IS_IMMUTABLE_FILE(inode) ((inode)->i_flags & S_IMMUTABLE_FILE)
-#define IS_IMMUTABLE_LINK(inode) ((((inode)->i_flags & S_IMMUTABLE_FILE) << 3) ^\
-				((inode)->i_flags & S_IMMUTABLE_LINK))
+#define IS_IMMUTABLE(inode)	((inode)->i_flags & S_IMMUTABLE)
+#define IS_IUNLINK(inode)       ((inode)->i_flags & S_IUNLINK)
+#define IS_IXORUNLINK(inode)	((IS_IUNLINK(inode) ? S_IMMUTABLE : 0) ^ IS_IMMUTABLE(inode))
 #define IS_NOATIME(inode)	(__IS_FLG(inode, MS_NOATIME) || ((inode)->i_flags & S_NOATIME))
 #define IS_NODIRATIME(inode)	__IS_FLG(inode, MS_NODIRATIME)
 #define IS_POSIXACL(inode)	__IS_FLG(inode, MS_POSIXACL)
 
 #define IS_BARRIER(inode)	(S_ISDIR((inode)->i_mode) && \
 				(inode->i_mode & 0777) == 0 && \
-				((inode)->i_flags & S_IMMUTABLE_LINK))
+				((inode)->i_flags & S_IUNLINK))
 
 #define IS_DEADDIR(inode)	((inode)->i_flags & S_DEAD)
 
diff -NurpP --minimal linux-2.4.27-9-vs1.2.10.micah/include/linux/reiserfs_fs.h linux-2.4.27-9-vs1.2.10.micah-fix01/include/linux/reiserfs_fs.h
--- linux-2.4.27-9-vs1.2.10.micah/include/linux/reiserfs_fs.h	2005-11-11 03:28:50 +0100
+++ linux-2.4.27-9-vs1.2.10.micah-fix01/include/linux/reiserfs_fs.h	2005-11-11 04:55:53 +0100
@@ -866,8 +866,8 @@ struct stat_data_v1
 
 /* we want common flags to have the same values as in ext2,
    so chattr(1) will work without problems */
-#define REISERFS_IMMUTABLE_FILE_FL EXT2_IMMUTABLE_FILE_FL
-#define REISERFS_IMMUTABLE_LINK_FL EXT2_IMMUTABLE_LINK_FL
+#define REISERFS_IMMUTABLE_FL EXT2_IMMUTABLE_FL
+#define REISERFS_IUNLINK_FL   EXT2_IUNLINK_FL
 #define REISERFS_APPEND_FL    EXT2_APPEND_FL
 #define REISERFS_SYNC_FL      EXT2_SYNC_FL
 #define REISERFS_NOATIME_FL   EXT2_NOATIME_FL
@@ -883,8 +883,10 @@ struct stat_data_v1
    numeric constant to ext2 macro when available. */
 #define REISERFS_NOTAIL_FL    (0x00008000) /* EXT2_NOTAIL_FL */
 
+#define REISERFS_FL_USER_MODIFIABLE (REISERFS_IUNLINK_FL|0x80FF)
+
 /* persistent flags that file inherits from the parent directory */
-#define REISERFS_INHERIT_MASK ( REISERFS_IMMUTABLE_FILE_FL |	\
+#define REISERFS_INHERIT_MASK ( REISERFS_IMMUTABLE_FL |	\
 				REISERFS_SYNC_FL |	\
 				REISERFS_NOATIME_FL |	\
 				REISERFS_NODUMP_FL |	\

Tags added: security Request was from Micah Anderson <micah@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: patch Request was from Micah Anderson <micah@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Disconnected #329090 from all other report(s). Request was from Micah Anderson <micah@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Micah Anderson <micah@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Andrew Lee <andrew@linux.org.tw>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #60 received at 329087-close@bugs.debian.org (full text, mbox):

From: Micah Anderson <micah@debian.org>
To: 329087-close@bugs.debian.org
Subject: Bug#329087: fixed in kernel-patch-vserver 2.3
Date: Tue, 29 Nov 2005 10:47:11 -0800
Source: kernel-patch-vserver
Source-Version: 2.3

We believe that the bug you reported is fixed in the latest version of
kernel-patch-vserver, which is due to be installed in the Debian FTP archive:

kernel-patch-vserver_2.3.dsc
  to pool/main/k/kernel-patch-vserver/kernel-patch-vserver_2.3.dsc
kernel-patch-vserver_2.3.tar.gz
  to pool/main/k/kernel-patch-vserver/kernel-patch-vserver_2.3.tar.gz
kernel-patch-vserver_2.3_all.deb
  to pool/main/k/kernel-patch-vserver/kernel-patch-vserver_2.3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 329087@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Micah Anderson <micah@debian.org> (supplier of updated kernel-patch-vserver package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 29 Nov 2005 13:29:38 -0500
Source: kernel-patch-vserver
Binary: kernel-patch-vserver
Architecture: source all
Version: 2.3
Distribution: unstable
Urgency: high
Maintainer: Micah Anderson <micah@debian.org>
Changed-By: Micah Anderson <micah@debian.org>
Description: 
 kernel-patch-vserver - context switching virtual private servers - kernel patch
Closes: 329087
Changes: 
 kernel-patch-vserver (2.3) unstable; urgency=high
 .
   * Previous fix was missing one IS_IMMUTABLE_FILE instance,
     thanks to Alexei Chetroi (Closes: #329087)
Files: 
 43fb001ad50413d7f8e182ec28aab8aa 602 devel extra kernel-patch-vserver_2.3.dsc
 1017bddd6201f75f5565b3f8019e31c9 1614838 devel extra kernel-patch-vserver_2.3.tar.gz
 ffc048e5a31646ddb026966986a29b18 595808 devel extra kernel-patch-vserver_2.3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDjJ609n4qXRzy1ioRAgp3AJ9Vm+/1txKunOUmuQnhsUnQNYRRTgCfSe1B
uidD5YmoGqpEi6/O8JqFZ4o=
=d7Tq
-----END PGP SIGNATURE-----




Reply sent to Micah Anderson <micah@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Andrew Lee <andrew@linux.org.tw>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #65 received at 329087-close@bugs.debian.org (full text, mbox):

From: Micah Anderson <micah@debian.org>
To: 329087-close@bugs.debian.org
Subject: Bug#329087: fixed in kernel-patch-vserver 1.9.5.4
Date: Mon, 20 Mar 2006 23:02:13 -0800
Source: kernel-patch-vserver
Source-Version: 1.9.5.4

We believe that the bug you reported is fixed in the latest version of
kernel-patch-vserver, which is due to be installed in the Debian FTP archive:

kernel-patch-vserver_1.9.5.4.dsc
  to pool/main/k/kernel-patch-vserver/kernel-patch-vserver_1.9.5.4.dsc
kernel-patch-vserver_1.9.5.4.tar.gz
  to pool/main/k/kernel-patch-vserver/kernel-patch-vserver_1.9.5.4.tar.gz
kernel-patch-vserver_1.9.5.4_all.deb
  to pool/main/k/kernel-patch-vserver/kernel-patch-vserver_1.9.5.4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 329087@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Micah Anderson <micah@debian.org> (supplier of updated kernel-patch-vserver package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 20 Nov 2005 17:16:45 -0500
Source: kernel-patch-vserver
Binary: kernel-patch-vserver
Architecture: source all
Version: 1.9.5.4
Distribution: stable-security
Urgency: high
Maintainer: Ola Lundqvist <opal@debian.org>
Changed-By: Micah Anderson <micah@debian.org>
Description: 
 kernel-patch-vserver - context switching virtual private servers - kernel patch
Closes: 329087
Changes: 
 kernel-patch-vserver (1.9.5.4) stable-security; urgency=high
 .
   * Updated 2.4.27 kernel patch to fix chroot escape as a result
     of missing immutable unlink extended filesystem attributes
     and the capability system that would enforce the chroot
     barrier. (Closes: #329087)
Files: 
 9befc3f1ef20d620d87a8d073258ea0d 635 devel extra kernel-patch-vserver_1.9.5.4.dsc
 f3e339b76de5b6bd8f84e01cd079c2b3 980051 devel extra kernel-patch-vserver_1.9.5.4.tar.gz
 e98fefbcbaa631427c37c3c3fbde159d 467052 devel extra kernel-patch-vserver_1.9.5.4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDjKa/9n4qXRzy1ioRAgCyAKCBJ1O1fnGzmVsJnMjhi3ouu+RRcgCcC87S
YXrdiwor3FI2HXjTRGOsiPA=
=hlSV
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 19 Jun 2007 01:44:59 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 02:59:44 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.