OpenVPN issues on a OpenVZ / Virtuozzo enabled VPS

Error Note: Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13)

Just follow the KB at http://wiki.openvz.org/VPN_via_the_TUN/TAP_device

Error Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)

As mentioned in the same KB URL, just do the steps below and things should be alright again

vzctl set 101 --devices c:10:200:rw --save
vzctl set 101 --capability net_admin:on --save

Basically the errors are caused by the non-execution of the two commands mentioned above.

CRITICAL : Serious kernel bug!!! Root privilege escalation

Tavis Ormandy and Julien Tinnes of the Google Security Team has unleashed a major kernel bug. A serious and critical security flaw has been found in both 2.4 and 2.6 kernel, enabling the attacked to gain the complete root access. I believe this is one major kernel bug in last few years. Distros release the Update… or we have to patch the kernel…

Believe me, this works Seriously works! See below from an exploit running all over the net.

[sages@tech ~]$ chmod +x run.sh
[sages@tech ~]$ ./run.sh
padlina z lublina!
sh-3.2# whoami
root
sh-3.2#

While a patched kernel should show the output as below

[sages@tech ~]$ chmod +x run.sh
[sages@tech ~]$ ./run.sh
padlina z lublina!
mprotect: Cannot allocate memory
[sages@tech ~]$

===============================================================

Linux NULL pointer dereference due to incorrect proto_ops initializations
————————————————————————-

In the Linux kernel, each socket has an associated struct of operations
called proto_ops which contain pointers to functions implementing various
features, such as accept, bind, shutdown, and so on.

If an operation on a particular socket is unimplemented, they are expected
to point the associated function pointer to predefined stubs, for example if
the “accept” operation is undefined it would point to sock_no_accept(). However,
we have found that this is not always the case and some of these pointers are
left uninitialized.

This is not always a security issue, as the kernel validates the pointers at
the call site, such as this example from sock_splice_read:

static ssize_t sock_splice_read(struct file *file, loff_t *ppos,
struct pipe_inode_info *pipe, size_t len,
unsigned int flags)
{
struct socket *sock = file->private_data;

if (unlikely(!sock->ops->splice_read))
return -EINVAL;

return sock->ops->splice_read(sock, ppos, pipe, len, flags);
}

But we have found an example where this is not the case; the sock_sendpage()
routine does not validate the function pointer is valid before dereferencing
it, and therefore relies on the correct initialization of the proto_ops
structure.

We have identified several examples where the initialization is incomplete:

- The SOCKOPS_WRAP macro defined in include/linux/net.h, which appears correct
at first glance, was actually affected. This includes PF_APPLETALK, PF_IPX,
PF_IRDA, PF_X25 and PF_AX25 families.

- Initializations were missing in other protocols, including PF_BLUETOOTH,
PF_IUCV, PF_INET6 (with IPPROTO_SCTP), PF_PPPOX and PF_ISDN.

——————–
Affected Software
————————

All Linux 2.4/2.6 versions since May 2001 are believed to be affected:

- Linux 2.4, from 2.4.4 up to and including 2.4.37.4
- Linux 2.6, from 2.6.0 up to and including 2.6.30.4

——————–
Consequences
———————–

This issue is easily exploitable for local privilege escalation. In order to
exploit this, an attacker would create a mapping at address zero containing
code to be executed with privileges of the kernel, and then trigger a
vulnerable operation using a sequence like this:

/* … */
int fdin = mkstemp(template);
int fdout = socket(PF_PPPOX, SOCK_DGRAM, 0);

unlink(template);

ftruncate(fdin, PAGE_SIZE);

sendfile(fdout, fdin, NULL, PAGE_SIZE);
/* … */

Please note, sendfile() is just one of many ways to cause a sendpage
operation on a socket.

Successful exploitation will lead to complete attacker control of the system.

——————-
Mitigation
———————–

Recent kernels with mmap_min_addr support may prevent exploitation if
the sysctl vm.mmap_min_addr is set above zero. However, administrators
should be aware that LSM based mandatory access control systems, such
as SELinux, may alter this functionality.

It should also be noted that all kernels up to 2.6.30.2 are vulnerable to
published attacks against mmap_min_addr.

——————-
Solution
———————–

Linus committed a patch correcting this issue on 13th August 2009.

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98

——————-
Credit
———————–

This bug was discovered by Tavis Ormandy and Julien Tinnes of the Google
Security Team.

================================================================

Sad part is that there isn’t a patch from distro developers. And we have to manually compile the kernel. Oh guys.. release a patch soon or else my dear servers. Blog of Julien, http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html has more in depth details.

How to enable IPtable modules on a VPS

Before trying to enable iptable modules on the VPS, make sure that those modules are enabled on the root node server. To check whether the particular iptable modules are enabled or not on the root node, execute the following command.

lsmod

A Sample out put for the lsmod is :

Module                  Size  Used by
xt_helper              35584  0
ip_conntrack_ftp       42320  2
ipt_LOG                39808  0
ipt_owner              34944  0
ipt_REDIRECT           34944  0
ipt_recent             43404  2
xt_state               35200  5
sch_sfq                38912  1
cls_u32                41352  1
sch_cbq                50688  1
ppp_deflate            39168  0
zlib_deflate           52760  1 ppp_deflate
ppp_async              45184  0
ppp_generic            62624  2 ppp_deflate,ppp_async
slhc                   39552  1 ppp_generic
crc_ccitt              35200  1 ppp_async
tun                    47872  0
vzethdev               47264  0
simfs                  38296  36
vzrst                 173096  0
vzcpt                 148792  0
vzdquota               78832  36 [permanent]
xt_tcpudp              36224  21
xt_length              34944  0
ipt_ttl                34816  0
xt_tcpmss              35328  0
ipt_TCPMSS             37248  0
iptable_mangle         37888  36
xt_multiport           36224  0
xt_limit               36352  4
ipt_tos                34560  0
ipt_REJECT             39556  1
iptable_nat            43532  46
ip_nat                 53392  3 ipt_REDIRECT,vzrst,iptable_nat
iptable_filter         37760  42
ip_conntrack          100884  29 xt_helper,ip_conntrack_ftp,xt_state,vzrst,vzcpt,iptable_nat,ip_nat
nfnetlink              40392  2 ip_nat,ip_conntrack
ip_tables              57440  3 iptable_mangle,iptable_nat,iptable_filter
x_tables               52744  17 xt_helper,ipt_LOG,ipt_owner,ipt_REDIRECT,ipt_recent,xt_state,xt_tcpudp,xt_length,ipt_ttl,xt_tcpmss,ipt_TCPMSS,xt_multiport,xt_limit,ipt_tos,ipt_REJECT,iptable_nat,ip_tables
autofs4                57480  2
hidp                   83584  2
rfcomm                105000  0

Here we can see most of the modules are already enabled on the node server. If not enabled, execute the following commands one by one to enable those.

modprobe ipt_helper
modprobe ipt_REDIRECT
modprobe ipt_state
modprobe ipt_TCPMSS
modprobe ipt_LOG
modprobe ipt_TOS
modprobe iptable_nat
modprobe ipt_length
modprobe ipt_tcpmss
modprobe iptable_mangle
modprobe ipt_limit
modprobe ipt_tos
modprobe iptable_filter
modprobe ipt_helper
modprobe ipt_tos
modprobe ipt_ttl
modprobe ipt_REJECT
modprobe ipt_helper
modprobe ipt_owner

Next step is to enable these modules on the VPS.

Stop the container first :  vzctl stop 960 ( replace 960 with the concerned VPS ID )

Execute the following command :

vzctl set 960 –iptables ipt_REJECT –iptables ipt_tos –iptables ipt_TOS –iptables ipt_LOG –iptables ip_conntrack –iptables ipt_limit –iptables ipt_multiport –iptables iptable_filter –iptables iptable_mangle –iptables ipt_TCPMSS –iptables ipt_tcpmss –iptables ipt_ttl –iptables ipt_length –iptables ipt_state –iptables iptable_nat –iptables ip_nat_ftp –iptables ip_conntrack_ftp –iptables ip_conntrack_irc –iptables ip_nat_irc –iptables ipt_owner –iptables ipt_helper –save

Start the container : vzctl start 960

check whether the modules are enabled from the configuration file cat /etc/vz/conf/960.conf. You are DONE.

Please note that if the command “vzctl set 960 –iptables ipt_ ….” is executed for the second time for the same VPS, it will over write the previous configuration.

For enabling it on all VPSes, please add to /etc/sysconfig/vz all those modules like IPTABLES=”module1 module2 ….etc”

Kloxo restart fails giving entropy error

Kloxo, lighttpd as well as FTP restarting failed on a VPS after the installation of VNC there,

Starting kloxo: 11
2009-07-17 08:35:38: (network.c.321) SSL: not enough entropy in the pool
mysqld (pid 29904) is running…

Solution was to create a urandom file. /proc/sys/kernel/random/entropy_avail was having the value of 3 or so, which I believe is too low. /proc/sys/kernel/random/poolsize now has 4096 . /dev/random will block if there is nothing left in the entropy bit bucket. /dev/urandom uses the same bucket – but will not block (it can reuse the pool of bits) and I believe lighttpd can use both random and urandom. Good for us

mknod -m 644 /dev/urandom c 1 9

pure-ftpd fails to start in a OpenVZ server

Issue : pure-ftpd was not starting in a ispCP enabled VPS server. It was showing failed status in both xinetd and standalone version. ispCP stores the information in MySQL database.

Troubleshooting :

Run the pure-ftpd script using the command itself, and without the sysV startup script.
/usr/sbin/pure-ftpd --daemonize -A -c50 -B -C8 -D -E -fftp -H -I15 -lmysql:/etc/pure-ftpd/pureftpd-mysql.conf -L7500:8 -m4 -s -U133:022 -u500 -i -Oclf:/var/log/pureftpd.log -k99 -Z -4

Again failure. Now turn for strace.
yum install strace

Error to be noted was below

capset(0x19980330, 0, {CAP_CHOWN|CAP_DAC_READ_SEARCH|CAP_SETGID|CAP_SETUID|CAP_NET_BIND_SERVICE|CAP_NET_ADMIN|CAP_SYS_CHROOT|CAP_SYS_NICE, CAP_CHOWN|CAP_DAC_READ_SEARCH|CAP_SETGID|CAP_SETUID|CAP_NET_BIND_SERVICE|CAP_NET_ADMIN|CAP_SYS_CHROOT|CAP_SYS_NICE, 0}) = -1 EPERM (Operation not permitted)

followed by a log message in /var/log/messages as
pure-ftpd: (?@?) [ERROR] Unable to switch capabilities : Operation not permitted

Edit the VPS configuration file in the node to add lines below directly as below and then restart the vps from node or PIM or anything you use as the control panel.

CAPABILITY=”CHOWN:on DAC_READ_SEARCH:on SETGID:on SETUID:on NET_BIND_SERVICE:on NET_ADMIN:on SYS_CHROOT:on SYS_NICE:on”

A restart of VPS should fix the error