chcontext.8 (3691B)
1 .TH "chcontext" "8" "0.1.0" "Klavs Klavsen <kl@vsen.dk>" "System Administration" 2 .SH "NAME" 3 .LP 4 chcontext \- chcontext allocates a new security context and executes a command in that context. 5 .SH "SYNTAX" 6 .LP 7 chcontext [\fIoptions\fP] <\fIcommand arguments\fP> 8 .SH "DESCRIPTION" 9 .LP 10 chcontext allocates a new security context and executes a command in that context. 11 By default, a new/unused context is allocated 12 .SH "OPTIONS" 13 .LP 14 .TP 15 \fB\-\-cap\fR CAP_NAME 16 Add a capability from the command. This option may be repeated several time. See /usr/include/linux/capability.h In general, this option is used with the \-\-secure option. \-\-secure removes most critical capabilities and \-\-cap adds specific ones. 17 .TP 18 \fB\-\-cap\fR !CAP_NAME 19 Remove a capability from the command. This option may be repeated several time. See /usr/include/linux/capability.h 20 .TP 21 \fB\-\-ctx\fR num 22 Select the context. Only root in context 0 is allowed to select a specific context. 23 Context number 1 is special. It can see all processes in any contexts, but can't kill them though. 24 .TP 25 \fB\-\-disconnect\fR 26 Start the command in background and make the process a child of process 1. 27 .TP 28 \fB\-\-domainname\fR new_domainname 29 Set the domainname (NIS) in the new security context. 30 Use "none" to unset the domainname. 31 .TP 32 \fB\-\-flag\fR 33 Set one flag in the new or current security context. The following flags are supported. The option may be used several time. 34 lock: The new process is trapped and can't use 35 chcontext anymore. 36 sched: The new process and its children will 37 share a common execution priority. 38 nproc: Limit the number of process in the 39 vserver according to ulimit setting. 40 Normally, ulimit is a per user thing. 41 With this flag, it becomes a per vserver 42 thing. 43 private: No one can join this security context 44 once created. 45 .TP 46 \fB\-\-hostname\fR new_hostname 47 Set the hostname in the new security context. 48 This is needed because if you create a less privileged security context, it may be unable to change its hostname. 49 .TP 50 \fB\-\-secure\fR 51 Remove all the capabilities to make a virtual server trustable. 52 .TP 53 \fB\-\-silent\fR 54 Do not print the allocated context number. 55 .LP 56 Information about context is found in /proc/self/status 57 .SH "FILES" 58 .LP 59 \fI/usr/sbin/chcontext\fP 60 61 62 .SH "EXAMPLES" 63 .LP 64 # You must be root, running X. 65 # We start an xterm in another security context 66 /usr/sbin/chcontext xterm & 67 68 # We check, there is no xterm running, yet we can 69 # see it. 70 ps ax | grep xterm 71 72 # Are we running in security context 0 73 # We check the s_context line in /proc/self/status 74 cat /proc/self/status 75 76 # Ok we in security context 0 77 # Try the security context 1 78 /usr/sbin/chcontext \-\-ctx 1 ps ax | grep xterm 79 80 # Ok, we see the xterm, we try to kill it 81 /usr/sbin/chcontext \-\-ctx 1 killall xterm 82 83 # No, security context 1 can see, but can't kill 84 # let's find out in which security context this 85 # xterm is running 86 /usr/sbin/chcontext \-\-ctx 1 ps ax | grep xterm 87 88 # Ok, this is PID XX. We need the security context 89 /usr/sbin/chcontext \-\-ctx 1 cat /proc/XX/status 90 91 # We see the s_context, this is SS. 92 # We want to kill this process 93 /usr/sbin/chcontext \-\-ctx SS killall xterm 94 .LP 95 Please contribute some, if you feel it's important. 96 .SH "AUTHORS" 97 .LP 98 This Man page was written by Klavs Klavsen <kl@vsen.dk> and based upon the helpful output from the program itself and the documentation on the Virtual Server site <http://www.solucorp.qc.ca/miscprj/s_context.hc?prjstate=1&nodoc=0> 99 .SH "SEE ALSO" 100 .LP 101 chbind(8) rebootmgr(8) reducecap(8) 102 vps(8) vpstree(8) vrpm(8) vserver(8) 103 vserver\-stat(8) vtop(8)