Re: [Vserver] remove root from VServer:
 vserver development mailing list 
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]

Re: [Vserver] remove root from VServer

From: Grzegorz Nosek <grzegorz.nosek_at_gmail.com>
Date: Thu 19 Jan 2006 - 13:48:20 GMT
Message-ID: <121a28810601190548q3028bce3o@mail.gmail.com>

2006/1/19, sukrit <sukrit@liqwidkrystal.com>:
> Is it firstly possible to remove root user from a vserver so as to
> secure it? Secondly is there documentation of this? Also, any known side
> effects?
>
> Regards,
> Sukrit.D.
>

Well, yes and no.

No, you can't really prevent *all* processes from having uid==0 (what
about vserver enter? you'd want to block it too?).

Yes, you can strip enough capabilities to lock down the vserver heavily.

Known side effects - things break :) e.g. if you remove CAP_MOUNT you
can no longer mount filesystems etc. so programs that expect this
feature don't work.

I'm usually using a set of bcapabilities like this:

CAP_CHOWN
CAP_DAC_OVERRIDE
CAP_DAC_READ_SEARCH
CAP_FOWNER
CAP_FSETID
CAP_KILL
CAP_SETGID
CAP_SETUID
CAP_SETPCAP
CAP_NET_BIND_SERVICE
CAP_SYS_NICE
CAP_SYS_RESOURCE

plus quota_ctl in ccapabilities.

HTH,
 Grzegorz Nosek
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Thu Jan 19 13:48:41 2006

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Thu 19 Jan 2006 - 13:48:45 GMT by hypermail 2.1.8