About this list Date view Thread view Subject view Author view Attachment view

From: Jacques Gelinas (jack_at_solucorp.qc.ca)
Date: Thu 14 Nov 2002 - 03:09:09 GMT

On Fri, 22 Feb 2002 11:25:05 -0500, klavs klavsen wrote
> Hi guys,
> I'm running through reducecap with strings.
> i can see three options (I've only found one of them mentioned in the
> docs).
> --secure (mentioned - removes all unsafe capabilities)
> --show (shows current capabilities)
> --flag (gives me a segmentation fault)
> what's the idea with --flag? what are you suppose to feed it?

Here is some doc

sets the security context flags. The option may be repeated
several times. Here are the values:

lock: The security context can't be changed. The process is trapped
          in this context. This is generally used for vservers because yoy
          do not want them to hide in new security context.

sched: Each process in a security context contribute (lower) to the general
        priority of every processes in the context. Mostly, all processes
        in a security context take as much CPU together as one process
        not bound to this flag. Said again differently, a vserver having
        100 active processes won't get more CPU than another vserver
        with a single active process.

nproc: The "ulimit -u N" setting becomes global to the security context. It means
        the security context is not allowed to have more than N processes.

private: No other processes, even root in security context 0, is allowed to
        enter this security context. Once a security context is setup
        with this flag, it is on its own. This also means that root
        in security context 0 won't be able to kill or interact with those

hideinfo: Hides various information in /proc. (not implemented yet)

> is it possible to define which capabilities to remove? other than just
> what secure removes? can you enter --secure (and then add extra
> capabilities to the --secure standard set?)

Yes, the following options may be used


I have updated the man page.

Jacques Gelinas <jack_at_solucorp.qc.ca>
vserver: run general purpose virtual servers on one box, full speed!

About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Thu 14 Nov 2002 - 06:25:32 GMT by hypermail 2.1.3