|
Bugtraq
mailing list archives
compartment
From: marc () SUSE DE (Marc Heuse)
Date: Mon, 3 Jan 2000 20:34:20 +0100
Hi folks,
I just wanted to announce, that a small but nice tool is available for
testing. It's a program to build secure compartments for running
untrsted/insecure programs, and has got the usual uid/gid setting and
chrooting abilitity, but the nice thing is the easy access to linux per
process capabilities.
e.g. running an anon-ftp or webserver software on a priviliged port chrooted:
"compartment --chroot /chroot/ftp --cap CAP_NET_BIND_SERVICE anon-ftpd"
You can find v0.5 of the compartment utility at http://www.suse.de/~marc
Syntax: compartment [options] /full/path/to/program
Options:
--chroot path chroot to path
--user user change uid to this user
--group group change gid to this group
--init program execute this program/script before doing anything
--cap capset set capset name. You can specify several capsets.
--verbose be verbose
--quiet do no logging (to syslog)
I know the following capset names: CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH
CAP_FOWNER CAP_FSETID CAP_FS_MASK CAP_KILL CAP_SETGID CAP_SETUID CAP_SETPCAP
CAP_LINUX_IMMUTABLE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_ADMIN
CAP_NET_RAW CAP_IPC_LOCK CAP_IPC_OWNER CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_CHROOT
CAP_SYS_PTRACE CAP_SYS_PACCT CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_NICE
CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG
Greets,
Marc
--
Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E () mail: marc () suse de Function: Security Support & Auditing
"lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka"
Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C
 By Date 
By Thread
Current thread:
- compartment Marc Heuse (Jan 03)
|
Intro
