About this list Date view Thread view Subject view Author view Attachment view

From: Herbert P÷tzl (herbert_at_13thfloor.at)
Date: Fri 15 Aug 2003 - 23:36:19 BST


On Fri, Aug 15, 2003 at 10:41:25AM -0500, John Goerzen wrote:
> What capabilities should I be granting it? I have been failing to find the
> right thing to set S_CAPS to for this.

this would be CAP_SYS_ADMIN, but keep in mind this
also opens the following ...

/* Allow configuration of the secure attention key */
/* Allow administration of the random device */
/* Allow examination and configuration of disk quotas */
/* Allow configuring the kernel's syslog (printk behaviour) */
/* Allow setting the domainname */
/* Allow setting the hostname */
/* Allow calling bdflush() */
/* Allow mount() and umount(), setting up new smb connection */
/* Allow some autofs root ioctls */
/* Allow nfsservctl */
/* Allow VM86_REQUEST_IRQ */
/* Allow to read/write pci config on alpha */
/* Allow irix_prctl on mips (setstacksize) */
/* Allow flushing all cache on m68k (sys_cacheflush) */
/* Allow removing semaphores */
/* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores
   and shared memory */
/* Allow locking/unlocking of shared memory segment */
/* Allow turning swap on/off */
/* Allow forged pids on socket credentials passing */
/* Allow setting readahead and flushing buffers on block devices */
/* Allow setting geometry in floppy driver */
/* Allow turning DMA on/off in xd driver */
/* Allow administration of md devices (mostly the above, but some
   extra ioctls) */
/* Allow tuning the ide driver */
/* Allow access to the nvram device */
/* Allow administration of apm_bios, serial and bttv (TV) device */
/* Allow manufacturer commands in isdn CAPI support driver */
/* Allow reading non-standardized portions of pci configuration space */
/* Allow DDI debug ioctl on sbpcd driver */
/* Allow setting up serial ports */
/* Allow sending raw qic-117 commands */
/* Allow enabling/disabling tagged queuing on SCSI controllers and sending
   arbitrary SCSI commands */
/* Allow setting encryption key on loopback filesystem */
/* Allow the selection of a security context */

best,
Herbert

> Thanks,
> John
>
> On Fri, Aug 15, 2003 at 05:31:45PM +0200, Herbert P÷tzl wrote:
> > On Fri, Aug 15, 2003 at 10:18:15AM -0500, John Goerzen wrote:
> > > Hi,
> >
> > Hi John!
> >
> > > I have a program I'm trying to run under a vserver that sets up a
> > > chroot environment and tries to mount /proc under there. Ideally, it
> > > should be allowed to mount the same basic /proc that the master
> > > vserver sees. What is the proper way to allow it to do that? Or,
> > > failing that, to manually do it before the program runs?
> >
> > if you have sufficient priviledges (capabilities) then
> > you'll be able to do a mount -t procfs none /path/to/proc within

should read mount -t proc none /path/to/proc
                     ^^^^

> > the vserver ...
> >
> > HTH,
> > Herbert
> >
> > > Thanks,
> > > John


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Fri 15 Aug 2003 - 23:51:25 BST by hypermail 2.1.3