[13194] in bugtraq
compartment
daemon@ATHENA.MIT.EDU (Marc Heuse)
Mon Jan 3 16:42:33 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <20000103193420.BA3EE67AB@Galois.suse.de>
Date: Mon, 3 Jan 2000 20:34:20 +0100
Reply-To: Marc Heuse <marc@SUSE.DE>
From: Marc Heuse <marc@SUSE.DE>
X-To: bugtraq@securityfocus.com, suse-security@suse.com
To: BUGTRAQ@SECURITYFOCUS.COM
Hi folks,
I just wanted to announce, that a small but nice tool is available for
testing. It's a program to build secure compartments for running
untrsted/insecure programs, and has got the usual uid/gid setting and
chrooting abilitity, but the nice thing is the easy access to linux per
process capabilities.
e.g. running an anon-ftp or webserver software on a priviliged port chrooted:
"compartment --chroot /chroot/ftp --cap CAP_NET_BIND_SERVICE anon-ftpd"
You can find v0.5 of the compartment utility at http://www.suse.de/~marc
Syntax: compartment [options] /full/path/to/program
Options:
--chroot path chroot to path
--user user change uid to this user
--group group change gid to this group
--init program execute this program/script before doing anything
--cap capset set capset name. You can specify several capsets.
--verbose be verbose
--quiet do no logging (to syslog)
I know the following capset names: CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH
CAP_FOWNER CAP_FSETID CAP_FS_MASK CAP_KILL CAP_SETGID CAP_SETUID CAP_SETPCAP
CAP_LINUX_IMMUTABLE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_ADMIN
CAP_NET_RAW CAP_IPC_LOCK CAP_IPC_OWNER CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_CHROOT
CAP_SYS_PTRACE CAP_SYS_PACCT CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_NICE
CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG
Greets,
Marc
--
Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: marc@suse.de Function: Security Support & Auditing
"lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka"
Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C
