Hi, I am trying to chroot services via Marc's compartment. For instance for chrooting apache I think I understood the need for -cap CAP_NET_BIND_SERVICE since the port binding is below 1024. Hovever I do not want to have root running the services. From reading the README file I should be chowning the directories to something other then root. The README file refers to capability.h file for further reference yet it sounds Greek to me. Again from the README I understand that I can not use --user --group with 2.2.x kernels . I have found a document at ftp://ftp.guardian.no/pub/free/linux/capabilities/capfaq.txt describing the capabilities. Yet is there a plain english bersion that I could not locate or what are the best uses of these for apache and proftp Thanks -- Togan Muftuoglu
On Wed, 23 Jan 2002, Togan Muftuoglu wrote:
I have found a document at ftp://ftp.guardian.no/pub/free/linux/capabilities/capfaq.txt describing the capabilities.
Yet is there a plain english bersion that I could not locate or what are the best uses of these for apache and proftp
Well, all the capabilities should be described in /usr/src/linux/include/linux/capability.h You may have a look at ftp://linux.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/ or http://www.de.lids.org/lids-howto/node34.html (although the latter one refers obviously to LIDS) HTH best regards, Rainer Link -- Rainer Link | SuSE - The Linux Experts link@suse.de | Developer of A Mail Virus Scanner (www.amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org)
* Rainer Link; on 23 Jan, 2002 wrote:
Well, all the capabilities should be described in /usr/src/linux/include/linux/capability.h
Well I know as I said in my previous mail I had a look to it and it sounds Greek to me as I am not a programmer
You may have a look at ftp://linux.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/
Ok this one has the same capfaq.txt which I have founded
or http://www.de.lids.org/lids-howto/node34.html (although the latter one refers obviously to LIDS)
this is new, thanks What I am trying to understand is let's say I am using compartment to chroot apache since it will be binded to port 80 I have to use CAP_NET_BIND_SERVICE if I understood correctly. Since I am using kernel 2.2.19 I cannot use --cap together with --user --group parameters. I can only use --group. I am giving the benefit of doubt that "--group nogroup" is safer than "--group root". So basicly I am looking for explanation or examples of these in "plain English" :-) Thanks for the links though if I cannot find a plain english version I have to study them deep hard before putting the server on the net -- Togan Muftuoglu
participants (2)
-
Rainer Link
-
Togan Muftuoglu