From: Jacques Gelinas (jack_at_solucorp.qc.ca)
Date: Thu 14 Nov 2002 - 03:09:09 GMT
On Fri, 22 Feb 2002 11:25:05 -0500, klavs klavsen wrote
> Hi guys,
> I'm running through reducecap with strings.
> i can see three options (I've only found one of them mentioned in the
> --secure (mentioned - removes all unsafe capabilities)
> --show (shows current capabilities)
> --flag (gives me a segmentation fault)
> what's the idea with --flag? what are you suppose to feed it?
Here is some doc
sets the security context flags. The option may be repeated
several times. Here are the values:
lock: The security context can't be changed. The process is trapped
in this context. This is generally used for vservers because yoy
do not want them to hide in new security context.
sched: Each process in a security context contribute (lower) to the general
priority of every processes in the context. Mostly, all processes
in a security context take as much CPU together as one process
not bound to this flag. Said again differently, a vserver having
100 active processes won't get more CPU than another vserver
with a single active process.
nproc: The "ulimit -u N" setting becomes global to the security context. It means
the security context is not allowed to have more than N processes.
private: No other processes, even root in security context 0, is allowed to
enter this security context. Once a security context is setup
with this flag, it is on its own. This also means that root
in security context 0 won't be able to kill or interact with those
hideinfo: Hides various information in /proc. (not implemented yet)
> is it possible to define which capabilities to remove? other than just
> what secure removes? can you enter --secure (and then add extra
> capabilities to the --secure standard set?)
Yes, the following options may be used
I have updated the man page.
Jacques Gelinas <jack_at_solucorp.qc.ca>
vserver: run general purpose virtual servers on one box, full speed!