[Gluster-infra] [Gluster-devel] An attempt to thwart G_LOG corruption
Michael Scherer
mscherer at redhat.com
Mon Aug 24 13:28:24 UTC 2015
Le dimanche 23 août 2015 à 18:54 +0200, Niels de Vos a écrit :
> On Sat, Aug 22, 2015 at 07:16:31PM +0200, Emmanuel Dreyfus wrote:
> > Hello
> >
> > We have a rogue test that appends log data to an incorrect open file
> > descriptors, clobebring various system and library files with logs. That
> > quickly renders regression slaves unusable.
> >
> > I tried an exepriment to thwart that threat: NetBSD FFS filesystem
> > features an immutable flag, which tells even root cannot modify the
> > file. I applied it on nbslave7[1-j] for the following files and
> > directories (and their children)
> > /.cshrc /.profile /altroot /bin /boot /boot.cfg /etc /grub /lib /libdata
> > /libexec /netbsd /netbsd7-XEN3PAE_DOMU /opt /rescue /root /sbin /stand
> > /usr
> >
> > Let me know if it is too wide and causes trouble. If anyone wants to
> > experiment:
> > Recursively (-R) installs the flag in /usr:
> > chflags -R uchg /usr
> > Recursively remove it:
> > chflags -R nouchg /usr
> >
> > We also have schg/noschg, which can be set at any time but can only be
> > removed by root in a single-user shell. I ruled out this because I am
> > not sure rackspace console access lets us use single user mode.
>
> Great idea! I was thinking of something like SElinux, but that is
> obviously not available for NetBSD.
>
> Thanks for setting this up and checking on its progress,
I wonder if we could do something with ostree, since that would make the
system readonly.
--
Michael Scherer
Sysadmin, Community Infrastructure and Platform, OSAS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://www.gluster.org/pipermail/gluster-infra/attachments/20150824/1adc89cf/attachment.sig>
More information about the Gluster-infra
mailing list