[Pkg-sysvinit-devel] Bug#390126: initscripts: breaks chroots and vservers

[Matthew Sackman]

Hi,

I've just suffered this same issue with my vservers breaking. The
problem is your use of

  mount -n --bind / /.root

By default, vservers have no capabilities and so this call fails with
"Permission denied". The only solution I came across was to restart the
vserver with CAP_SYS_ADMIN so that the mount call would succeed. Doing
this makes the vserver about as insecure as a normal non-vserver based
system. It's problematic though because it order to give it the
capability, you have to restart the vserver and with the initscripts in
chaos at the time, it's slightly worrying...

#
# Create /var/run and /var/lock on the root partition to make sure
# they are available if RAMRUN or RAMLOCK is enabled.
#
if dpkg --compare-versions "$PREV_VER" lt "2.86.ds1-22"
then
        # We need to quickly bind / to another location so we can make
        # them
        # just in case /var is a mountpoint or a symlink to one.
        mkdir /.root
        mount -n --bind / /.root

        mkdir -p /.root/var/run /.root/var/lock

        umount /.root
        rmdir /.root
fi

Is there anyway of achieving this without the use of mount? The other
problem is that having died at the mount call, you then have to work out
to rm -rf /.root before you can try reinstalling. Ideally, if you really
need mount to work, you should check for the presence of the necessary
capability and exit cleanly (preinit?).

Cheers,

Matthew
-- 
Matthew Sackman

BOFH excuse #68:
only available on a need to know basis