[Vserver] "Defaults Caps of chcontext" and whish list:
 vserver development mailing list 
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
About this list Date view Thread view Subject view Author view Attachment view

From: Thomas Guettler (hv_at_tbz-pariv.de)
Date: Thu 18 Mar 2004 - 14:16:25 GMT

Hi,

I have troubles with the default capabilities of chcontext.

varchiv is virtual, here CAP_SYS_CHROOT is enabled:

varchiv:~ # grep s_context /proc/self/status
s_context: 49176
varchiv:~ # reducecap --show | grep -i chroot
        CAP_SYS_CHROOT X X

If I start a new context, I have CAP_SYS_CHROOT:

edison:~ # /usr/local/sbin/chcontext --flag lock --flag nproc --flag sched\
  bash
New security context is 49184
edison:~ # reducecap --show | grep -i chroot
        CAP_SYS_CHROOT X X

If I want to change to varchiv, I don't have CAP_SYS_CHROOT:

edison:~ # /usr/local/sbin/chcontext --flag lock --flag nproc --flag sched
--ctx 49176 bash
New security context is 49176
varchiv:~ # reducecap --show | grep -i chroot
        CAP_SYS_CHROOT

Why does chcontext behave different if I give the --ctx option?

~~~~~~~~~~~~~~

Whishlist:

 - Introduction at http://dns.solucorp.qc.ca/miscprj/s_context.hc
   has some old parts.
   - newvserver does not exist (I think you use "vserver foo build" now)
   - Part "The packages":
     Difference between /usr/lib/vserver/vdu and /usr/sbin/vdu
     (I think they are the same)
 
 - Is there a tool which displays the context of all processes.
   vps, vtop don't. (At least I found no way to do this)

- Do you use "vserver foo start" or do you have own scripts?
  I have problems with these script, and think most people who use
  vserver daily have their own scripts. Is this true?
  (The problem at the top is one if it. I just reduced it to the commands
   "vserver foo enter" does execute)

- Would be nice to get a better error message if a context
   does not exist:
   chcontext --ctx 99999 bash
    Can't set the new security context
    : Invalid argument

- "vserver foo start" overwrites the file in /var/run/vserver.
  It would be good if this could check if the server is already
  running.

- "vserver exec bash"
   Host name is now varchiv
> echo $HOST --> old name
> hostname --> new name
   Would be nice if $HOST would get updated, too.

- utils: Would be nice to have a debug option
  which displays the commands which get executed.
  I chanaged it myself for debugging.

I know my whislist is long. Maybe I have some
time to send patches.

Regards,
 Thomas

_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Thu 18 Mar 2004 - 14:17:18 GMT by hypermail 2.1.3