re: cap problem: Unknown capability

About this list Date view Thread view Subject view Author view Attachment view

From: Jacques Gelinas (
Date: Mon Dec 31 2001 - 11:06:59 EST

On Sat, 29 Dec 2001 16:41:21 -0500, norbert wegener wrote
> Hello,
> I just started playing with vserver0.9. The conf template only shows
> very limited CAPS : CAP_NET_RAW.
> Taking random caps from /usr/include/linux/capability.h into the S_CAPS
> var I get error messages starting the server.
> in 01.conf I have defined the following:
> nobbi:/home/norbert/kernel/vserver-0.9 # vserver 01 start
> Starting the virtual server 01
> Server 01 is not running
> rm: »var/lock/subsys/httpd« ist ein Verzeichnis
> FLAGS= --flag lock --flag nproc
> ipv4root is now
> Unknown capability CAP_TO_MASK
> Unknown capability CAP_CHOWN
> Unknown capability CAP_DAC_OVERRIDE
> Host name is now vs01
> New security context is 22

Here is the problem.

A vserver normally runs with less capabilities than the root server. The
following capabilities are removed.


The S_CAPS allows you to get back some of those capabilities. All the other
are already available. The idea is that root in a vserver should be able to
do his work (kill any process, manipulate any file), but should not be able
to grab more privileges and potentially break into the root server.

So I did not include those capabilities in the chcontext utility since they
were already available (CAP_CHOWN and the other above).

But someone may want to fiddle with capabilities even more and create
a no-root capable vserver. Given you are allowed to use the ! sign to negate
a capability, it might be useful to specify CAP_CHOWN and friends like this


So I have added those extra capabilities in the list so it won't complain anymore.

So the short answer is: You probably do not need to specify those capabilities
because you already have them enable in the vserver.

vserver 0.10 will have a more complete list.

Jacques Gelinas <>
vserver: run general purpose virtual servers on one box, full speed!

About this list Date view Thread view Subject view Author view Attachment view

This archive was generated by hypermail 2.1.4 : Mon Aug 19 2002 - 12:01:00 EDT