2006/1/19, sukrit <sukrit@liqwidkrystal.com>:
> Is it firstly possible to remove root user from a vserver so as to
> secure it? Secondly is there documentation of this? Also, any known side
> effects?
>
> Regards,
> Sukrit.D.
>
Well, yes and no.
No, you can't really prevent *all* processes from having uid==0 (what
about vserver enter? you'd want to block it too?).
Yes, you can strip enough capabilities to lock down the vserver heavily.
Known side effects - things break :) e.g. if you remove CAP_MOUNT you
can no longer mount filesystems etc. so programs that expect this
feature don't work.
I'm usually using a set of bcapabilities like this:
CAP_CHOWN
CAP_DAC_OVERRIDE
CAP_DAC_READ_SEARCH
CAP_FOWNER
CAP_FSETID
CAP_KILL
CAP_SETGID
CAP_SETUID
CAP_SETPCAP
CAP_NET_BIND_SERVICE
CAP_SYS_NICE
CAP_SYS_RESOURCE
plus quota_ctl in ccapabilities.
HTH,
Grzegorz Nosek
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Thu Jan 19 13:48:41 2006