vshost-util-vserver

reducecap.8 (3878B)

---

 .TH "reducecap" "8" "0.1.0" "Klavs Klavsen <kl@vsen.dk>" "System Administration"
 .SH "NAME"
 .LP 
 reducecap \- The reducecap utility is used to lower the capability ceiling of a process and child process.
 .SH "SYNTAX"
 .LP 
 reducecap [\fIoptions\fP] <\fIcommand arguments\fP>
 .SH "DESCRIPTION"
 .LP 
 The reducecap utility is used to lower the capability ceiling of a process and child process. Even setuid program won't be able to grab more capabilities.
 .SH "OPTIONS"
 .LP 
 .TP 
 \fB\-\-secure\fR Removes all dangerous capabilities from the process executed.Specificly it removes:
 CAP_LINUX_IMMUTABLE CAP_NET_BROADCAST CAP_NET_ADMIN, CAP_NET_RAW CAP_IPC_LOCK CAP_IPC_OWNER CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_PACCT CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_NICE CAP_SYS_RESOURCE CAP_SYS_TIME CAP_MKNOD.
 
 Leaving the following capabilities:
 CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_FSETID CAP_KILL CAP_SETGID CAP_SETUID CAP_NET_BIND_SERVICE CAP_SYS_CHROOT CAP_SYS_PTRACE CAP_SYS_TTY_CONFIG CAP_LEASE CAP_QUOTACTL
 .TP 
 \fB\-\-show\fR Shows the current process capabilities.
 .TP 
 \fB\-\-flag\fR
 sets the security context flags. The option may be repeated
 several times. Here are the values:
 
 lock: The security context can't be changed. The process is trapped
 	  in this context. This is generally used for vservers because yoy
 	  do not want them to hide in new security context.
 
 sched: Each process in a security context contribute (lower) to the general
 	priority of every processes in the context. Mostly, all processes
 	in a security context take as much CPU together as one process
 	not bound to this flag. Said again differently, a vserver having
 	100 active processes won't get more CPU than another vserver
 	with a single active process.
 
 
 nproc: The "ulimit -u N" setting becomes global to the security context. It means
 	the security context is not allowed to have more than N processes.
 
 private: No other processes, even root in security context 0, is allowed to
 	enter this security context. Once a security context is setup
 	with this flag, it is on its own. This also means that root
 	in security context 0 won't be able to kill or interact with those
 	processes.
 
 hideinfo: Hides various information in /proc.
 
 .TP 
 \fB--LINUX_IMMUTABLE\fR
 .TP 
 \fB--NET_BIND_SERVICE\fR
 .TP 
 \fB--NET_BROADCAST\fR
 .TP 
 \fB--NET_ADMIN\fR
 .TP 
 \fB--NET_RAW\fR
 .TP 
 \fB--IPC_LOCK\fR
 .TP 
 \fB--IPC_OWNER\fR
 .TP 
 \fB--SYS_MODULE\fR
 .TP 
 \fB--SYS_RAWIO\fR
 .TP 
 \fB--SYS_PACCT\fR
 .TP 
 \fB--SYS_ADMIN\fR
 .TP 
 \fB--SYS_BOOT\fR
 .TP 
 \fB--SYS_NICE\fR
 .TP 
 \fB--SYS_RESOURCE\fR
 .TP 
 \fB--SYS_TIME\fR
 .TP 
 \fB--MKNOD\fR
 
 All these options remove one capability. These options may be used
 after the
 \fB--secure\fR
 option to remove more capabilities.
 
 
 .SH "FILES"
 .LP 
 \fI/usr/sbin/reducecap\fP 
 
 
 .SH "EXAMPLES"
 .LP 
 # You are not root now
 # What is the current capability ceiling
 cat /proc/self/status
 # The capBset line presents mostly 1s.
 /usr/sbin/reducecap \-\-secure /bin/sh
 cat /proc/self/status
 # The capBset now shows many more 0s.
 # The capEff shows all 0s, you have no privilege now
 # We su to root
 su
 cat /proc/self/status
 # capEff is much better now, but there are still many 0s
 # Now we try to see if we are really root
 tail /var/log/messages
 # So far so good, we see the content
 /sbin/ifconfig eth0
 /sbin/ifconfig eth0 down
 # No way, we can't configure the interface. In fact
 # we have lost most privilege normally assigned to root
 exit
 .LP 
 Please contribute some more, if you feel it's important.
 .SH "AUTHORS"
 .LP 
 This Man page was written by Klavs Klavsen <kl@vsen.dk> and based upon the helpful output from the program itself and the documentation on the Virtual Server site <http://www.solucorp.qc.ca/miscprj/s_context.hc?prjstate=1&nodoc=0>
 .SH "SEE ALSO"
 .LP 
 chcontext(8) rebootmgr(8) chbind(8)
 vps(8) vpstree(8) vrpm(8) vserver(8)
 vserver\-stat(8) vtop(8)