http://linux-vserver.at/api.php?action=feedcontributions&feedformat=atom&user=Marc+hamelinLinux-VServer - User contributions [en]2026-04-09T17:55:56ZUser contributionsMediaWiki 1.20.2http://linux-vserver.at/util-vserver:Capabilities_and_Flagsutil-vserver:Capabilities and Flags2011-10-03T08:29:06Z<p>Marc hamelin: /* Setting POSIX capabilities (bcaps) */</p>
<hr />
<div>This page discusses how to set capabilities and flags for a util-vserver guest. Also check http://www.nongnu.org/util-vserver/doc/conf/configuration.html for additional information.<br />
A couple of general rules applies to all of the files described on this page:<br />
* The filenames are all relative to the guest's configuration directory, which typically is <code>/etc/vservers/<em><guest></em></code> but by default <code>/usr/local/etc/vservers/<em><guest></em></code> when built from source.<br />
* One capability/flag per line<br />
* To remove something set by default, prefix it with ~, for instance:<br />
echo ~SET_UTSNAME >> ccapabilities<br />
* Comments can be added with #:<br />
echo \# Disable utsname configuration >> ccapabilities<br />
* To set a specific bit which does not yet have a name in util-vserver, you can use the following notation to set bit 6:<br />
echo ^6 >> ncapabilities<br />
<br />
=== Setting context capabilities (ccaps) ===<br />
* Add the capabilities to a file named <code>ccapabilities</code>:<br />
echo SYSLOG >> ccapabilities<br />
* The default ccaps are:<br />
SET_UTSNAME<br />
RAW_ICMP<br />
<br />
=== Setting context flags (cflags) ===<br />
* Add the flags to a file named <code>flags</code>:<br />
echo VIRT_MEM >> flags<br />
* The default cflags are (in addition to the defaults set by the kernel):<br />
HIDE_NETIF<br />
<br />
=== Setting network flags (nflags) ===<br />
* Add the flags to a file named <code>nflags</code>:<br />
echo HIDE_NETIF >> nflags<br />
* The default nflags are:<br />
HIDE_NETIF<br />
<br />
=== Setting POSIX capabilities (bcaps) ===<br />
* Add the capabilities to a file named <code>bcapabilities</code>:<br />
echo CHOWN >> bcapabilities<br />
* The default bcaps are:<br />
CHOWN<br />
DAC_OVERRIDE<br />
DAC_READ_SEARCH<br />
FOWNER<br />
FSETID<br />
KILL<br />
SETGID<br />
SETUID<br />
NET_BIND_SERVICE<br />
NET_RAW<br />
SYS_CHROOT<br />
SYS_PTRACE<br />
SYS_BOOT<br />
SYS_TTY_CONFIG<br />
LEASE<br />
AUDIT_WRITE<br />
<br />
''NET_RAW'' use for pcap (ex: tcpdump or snort software).<br />
<br />
=== Setting network capabilities (ncaps) ===<br />
* Add the capabilities to a file named <code>ncapabilities</code>:<br />
echo ^12 >> ncapabilities<br />
* There are no default ncaps.<br />
<br />
=== Modify flags without restarting the vservers ===<br />
If you would like to edit those flags without restarting the vservers, you can use vattribute and nattribute. See [[util-vserver:Cheatsheet]]</div>Marc hamelin