From: Jacques Gelinas (jack_at_solucorp.qc.ca)
Date: Mon 31 Dec 2001 - 16:06:59 GMT
On Sat, 29 Dec 2001 16:41:21 -0500, norbert wegener wrote
> I just started playing with vserver0.9. The conf template only shows
> very limited CAPS : CAP_NET_RAW.
> Taking random caps from /usr/include/linux/capability.h into the S_CAPS
> var I get error messages starting the server.
> in 01.conf I have defined the following:
> S_CAPS="CAP_NET_RAW CAP_TO_MASK CAP_NET_BROADCAST CAP_CHOWN
> nobbi:/home/norbert/kernel/vserver-0.9 # vserver 01 start
> Starting the virtual server 01
> Server 01 is not running
> rm: »var/lock/subsys/httpd« ist ein Verzeichnis
> FLAGS= --flag lock --flag nproc
> CAPS= --cap CAP_NET_RAW --cap CAP_TO_MASK --cap CAP_NET_BROADCAST --cap
> CAP_CHOWN --cap CAP_DAC_OVERRIDE
> ipv4root is now 192.168.0.222
> Unknown capability CAP_TO_MASK
> Unknown capability CAP_CHOWN
> Unknown capability CAP_DAC_OVERRIDE
> Host name is now vs01
> New security context is 22
Here is the problem.
A vserver normally runs with less capabilities than the root server. The
following capabilities are removed.
The S_CAPS allows you to get back some of those capabilities. All the other
are already available. The idea is that root in a vserver should be able to
do his work (kill any process, manipulate any file), but should not be able
to grab more privileges and potentially break into the root server.
So I did not include those capabilities in the chcontext utility since they
were already available (CAP_CHOWN and the other above).
But someone may want to fiddle with capabilities even more and create
a no-root capable vserver. Given you are allowed to use the ! sign to negate
a capability, it might be useful to specify CAP_CHOWN and friends like this
So I have added those extra capabilities in the list so it won't complain anymore.
So the short answer is: You probably do not need to specify those capabilities
because you already have them enable in the vserver.
vserver 0.10 will have a more complete list.
Jacques Gelinas <jack_at_solucorp.qc.ca>
vserver: run general purpose virtual servers on one box, full speed!