Hi folks, I just wanted to announce, that a small but nice tool is available for testing. It's a program to build secure compartments for running untrsted/insecure programs, and has got the usual uid/gid setting and chrooting abilitity, but the nice thing is the easy access to linux per process capabilities. e.g. running an anon-ftp or webserver software on a priviliged port chrooted: "compartment --chroot /chroot/ftp --cap CAP_NET_BIND_SERVICE anon-ftpd" You can find v0.5 of the compartment utility at http://www.suse.de/~marc Syntax: compartment [options] /full/path/to/program Options: --chroot path chroot to path --user user change uid to this user --group group change gid to this group --init program execute this program/script before doing anything --cap capset set capset name. You can specify several capsets. --verbose be verbose --quiet do no logging (to syslog) I know the following capset names: CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_FSETID CAP_FS_MASK CAP_KILL CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_LINUX_IMMUTABLE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_ADMIN CAP_NET_RAW CAP_IPC_LOCK CAP_IPC_OWNER CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_CHROOT CAP_SYS_PTRACE CAP_SYS_PACCT CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_NICE CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C
participants (1)
-
marc@suse.de