re: cap problem: Unknown capability

About this list Date view Thread view Subject view Author view Attachment view

From: Jacques Gelinas (jack_at_solucorp.qc.ca)
Date: Mon Dec 31 2001 - 11:06:59 EST


On Sat, 29 Dec 2001 16:41:21 -0500, norbert wegener wrote
> Hello,
> I just started playing with vserver0.9. The conf template only shows
> very limited CAPS : CAP_NET_RAW.
> Taking random caps from /usr/include/linux/capability.h into the S_CAPS
> var I get error messages starting the server.
> in 01.conf I have defined the following:
> S_CAPS="CAP_NET_RAW CAP_TO_MASK CAP_NET_BROADCAST CAP_CHOWN
> CAP_DAC_OVERRIDE"
>
> nobbi:/home/norbert/kernel/vserver-0.9 # vserver 01 start
> Starting the virtual server 01
> Server 01 is not running
> rm: »var/lock/subsys/httpd« ist ein Verzeichnis
> FLAGS= --flag lock --flag nproc
> CAPS= --cap CAP_NET_RAW --cap CAP_TO_MASK --cap CAP_NET_BROADCAST --cap
> CAP_CHOWN --cap CAP_DAC_OVERRIDE
> ipv4root is now 192.168.0.222
> Unknown capability CAP_TO_MASK
> Unknown capability CAP_CHOWN
> Unknown capability CAP_DAC_OVERRIDE
> Host name is now vs01
> New security context is 22

Here is the problem.

A vserver normally runs with less capabilities than the root server. The
following capabilities are removed.

        CAP_LINUX_IMMUTABLE
        CAP_NET_BROADCAST
        CAP_NET_ADMIN
        CAP_NET_RAW
        CAP_IPC_LOCK
        CAP_IPC_OWNER
        CAP_SYS_MODULE
        CAP_SYS_RAWIO
        CAP_SYS_PACCT
        CAP_SYS_ADMIN
        CAP_SYS_BOOT
        CAP_SYS_NICE
        CAP_SYS_RESOURCE
        CAP_SYS_TIME
        CAP_MKNOD

The S_CAPS allows you to get back some of those capabilities. All the other
are already available. The idea is that root in a vserver should be able to
do his work (kill any process, manipulate any file), but should not be able
to grab more privileges and potentially break into the root server.

So I did not include those capabilities in the chcontext utility since they
were already available (CAP_CHOWN and the other above).

But someone may want to fiddle with capabilities even more and create
a no-root capable vserver. Given you are allowed to use the ! sign to negate
a capability, it might be useful to specify CAP_CHOWN and friends like this

        S_CAPS="!CAP_CHOWN"

So I have added those extra capabilities in the list so it won't complain anymore.

So the short answer is: You probably do not need to specify those capabilities
because you already have them enable in the vserver.

vserver 0.10 will have a more complete list.

---------------------------------------------------------
Jacques Gelinas <jack_at_solucorp.qc.ca>
vserver: run general purpose virtual servers on one box, full speed!
http://www.solucorp.qc.ca/miscprj/s_context.hc


About this list Date view Thread view Subject view Author view Attachment view

This archive was generated by hypermail 2.1.4 : Mon Aug 19 2002 - 12:01:00 EDT