OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: compartment

compartment

Subject: compartment
From: Marc Heuse (marcSUSE.DE)
Date: Mon Jan 03 2000 - 13:34:20 CST

Hi folks,

I just wanted to announce, that a small but nice tool is available for
testing. It's a program to build secure compartments for running
untrsted/insecure programs, and has got the usual uid/gid setting and
chrooting abilitity, but the nice thing is the easy access to linux per
process capabilities.

e.g. running an anon-ftp or webserver software on a priviliged port chrooted:
"compartment --chroot /chroot/ftp --cap CAP_NET_BIND_SERVICE anon-ftpd"

You can find v0.5 of the compartment utility at http://www.suse.de/~marc

Syntax: compartment [options] /full/path/to/program

Options:
         --chroot path chroot to path
         --user user change uid to this user
         --group group change gid to this group
         --init program execute this program/script before doing anything
         --cap capset set capset name. You can specify several capsets.
         --verbose be verbose
         --quiet do no logging (to syslog)

I know the following capset names: CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH
CAP_FOWNER CAP_FSETID CAP_FS_MASK CAP_KILL CAP_SETGID CAP_SETUID CAP_SETPCAP
CAP_LINUX_IMMUTABLE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_ADMIN
CAP_NET_RAW CAP_IPC_LOCK CAP_IPC_OWNER CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_CHROOT
CAP_SYS_PTRACE CAP_SYS_PACCT CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_NICE
CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG

Greets,
        Marc 

--
   Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
   Email: marcsuse.de  Function: Security Support & Auditing
   "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka"
Key fingerprint = B5 07 B6 4E 9C EF 27 EE  16 D9 70 D4 87 B5 63 6C

This archive was generated by hypermail 2b27 : Mon Jan 03 2000 - 15:36:26 CST