util-vserver:Capabilities and Flags

2008-01-05T12:50:35Z

Loic:

This page discusses how to set capabilities and flags for a util-vserver guest. Also check http://www.nongnu.org/util-vserver/doc/conf/configuration.html for additional information.
A couple of general rules applies to all of the files described on this page:
* The filenames are all relative to the guest's configuration directory, which typically is <code>/etc/vservers/<em><guest></em></code> but by default <code>/usr/local/etc/vservers/<em><guest></em></code> when built from source.
* One capability/flag per line
* To remove something set by default, prefix it with ~, for instance:
echo ~SET_UTSNAME >> ccapabilities
* Comments can be added with #:
echo \# Disable utsname configuration >> ccapabilities
* To set a specific bit which does not yet have a name in util-vserver, you can use the following notation to set bit 6:
echo ^6 >> ncapabilities

=== Setting context capabilities (ccaps) ===
* Add the capabilities to a file named <code>ccapabilities</code>:
echo SYSLOG >> ccapabilities
* The default ccaps are:
SET_UTSNAME
RAW_ICMP

=== Setting context flags (cflags) ===
* Add the flags to a file named <code>flags</code>:
echo VIRT_MEM >> flags
* The default cflags are (in addition to the defaults set by the kernel):
HIDE_NETIF

=== Setting network flags (nflags) ===
* Add the flags to a file named <code>nflags</code>:
echo HIDE_NETIF >> nflags
* The default nflags are:
HIDE_NETIF

=== Setting POSIX capabilities (bcaps) ===
* Add the capabilities to a file named <code>bcapabilities</code>:
echo CHOWN >> bcapabilities
* The default bcaps are:
CHOWN
DAC_OVERRIDE
DAC_READ_SEARCH
FOWNER
FSETID
KILL
SETGID
SETUID
NET_BIND_SERVICE
SYS_CHROOT
SYS_PTRACE
SYS_BOOT
SYS_TTY_CONFIG
LEASE
AUDIT_WRITE

=== Setting network capabilities (ncaps) ===
* Add the capabilities to a file named <code>ncapabilities</code>:
echo ^12 >> ncapabilities
* There are no default ncaps.

Linux-VServer - User contributions [en]

util-vserver:Capabilities and Flags