Checking for secure chroot barrier

diff --git a/manifests/vserver.pp b/manifests/vserver.pp
index 4c1578d5cb51f3125e72e93c87fe26008516ff66..3609fb10ea7d06f2b9a84f08636f0d21080e187c 100644 (file)
--- a/manifests/vserver.pp
+++ b/manifests/vserver.pp
@@ -226,6 +226,13 @@ define vserver($ensure, $context, $in_domain = '', $mark = '', $legacy = false,
       require => Exec["vs_create_${vs_name}"];
   }
 
+  # ensure a secure chroot barrier
+  # we have to do it for each vserver, see
+  # http://linux-vserver.org/Secure_chroot_Barrier#Solution:_Secure_Barrier
+  exec { "setattr --barrier /etc/vservers/${vs_name}/vdir/../":
+    unless => "showattr /etc/vservers/${vs_name}/vdir/../ | grep -- '----Bui- /etc/vservers/${vs_name}/vdir/../$'"
+  }
+
   case $ensure {
     present: {
       # don't start or stop the vserver, just make sure it exists, we just run a dummy status test here