This host was cut off from the net for a while. I’ll tell you why, and I’m sure you’ll find it very funny, because geek humor is something *everyone* can relate to!
The story goes thus: There is a privilege escalation vulnerability in Linux kernels 2.6.13 to anything before 220.127.116.11, and terror has been running 2.6.14.something. The vulnerability explained:
“The bug allows a local user to gain root privileges via the PR_SET_DUMPABLE argument of the prctl function and a program that causes a core dump file to be created in a directory for which the user does not have permissions.”
Ah, yes, I can see how that can put a damper on your BBQ. So I innocently baked a new kernel and rebooted terror from at home, hoping it would cheerfully fsck its disks during the reboot and be ready for people’s wishes again in a few minutes. But half an hour later, the poor thing still hadn’t ponged my pings. So I thought I might have screwed up the initrd and left it at that, postponing any new discoveries until I could be physically present near the server today.
Come Monday: I energetically bounce into the server room, certain that a reboot to the old kernel and some poking here and there would bring back terror. But what dost my eyes see-eth? The thing is back up and blinking its login prompt at me. “Odd,” thinks I, “how did it manage to boot the new kernel?”
The machine was humming along and full of stored up servitude, because the network device hadn’t come up during reboot, so nobody could reach it and it couldn’t reach anybody. A quick manual try reveals that it doesn’t understand iptables anymore. Iptables! Its old friend! Suddenly a stranger! Looking at the kernel configuration system I saw a bunch of new options concerning “xtables”, and the IP filter config looked radically different. I manually brought up the network interface without iptables, and lo, it worked! I just hadn’t kept up with the kernel news and any migration/upgrade documentation, so I paid the price and now have a non-working iptables.
To make a short story not longer than it actually was, I’m now putting the patched Debian kernel in place. I don’t have time to research xtables and why my particular selection of modules wouldn’t mimic the old iptables functionality, so there. It’s not like I’m losing anything in the process. The moral of it all: Always read the kernel news.
See, I told you it would be funny! Now do you want to help me knit a man-size 12-sided die?