On Wed, 9 Jan 2002, Dietrich Meyer wrote:
Hi all,
in the documentation ot the compartment script (of SUSE 7.3), I found a note that under kernel 2.4, it would be possible to use capabilities together with a non-root user, which was impossible for kernels 2.2.x.
I tried to get it to work (in my case, BIND8 using the init_bind8 script from the compartment-documentation). I modified the script so that a minimal /etc/passwd and /etc/group was put into the chroot-dir,and "chowned" /var/named to the new user. Finally, I changed the call to compartment, added '--user newuser' and changed '--group newgroup'. But wouldn't start :-(
So my question: Is it in principle possible to use different users (non-root) together with capabilities? If yes, I will try a bit more..... Or maybe if anybody sees something obvious missing in my procedure, please tell me. Thanks!!!!
I had a similar problem with that some while ago.
Capabilities are disabled for kernels > 2.2.14. Processes with uid 0 have the
full set of capabilities, others have an empty set. Compartment's --cap option
therefore has no effect. You must patch