From: Herbert Pötzl (herbert_at_13thfloor.at)
Date: Fri 15 Aug 2003 - 23:36:19 BST
On Fri, Aug 15, 2003 at 10:41:25AM -0500, John Goerzen wrote:
> What capabilities should I be granting it? I have been failing to find the
> right thing to set S_CAPS to for this.
this would be CAP_SYS_ADMIN, but keep in mind this
also opens the following ...
/* Allow configuration of the secure attention key */
/* Allow administration of the random device */
/* Allow examination and configuration of disk quotas */
/* Allow configuring the kernel's syslog (printk behaviour) */
/* Allow setting the domainname */
/* Allow setting the hostname */
/* Allow calling bdflush() */
/* Allow mount() and umount(), setting up new smb connection */
/* Allow some autofs root ioctls */
/* Allow nfsservctl */
/* Allow VM86_REQUEST_IRQ */
/* Allow to read/write pci config on alpha */
/* Allow irix_prctl on mips (setstacksize) */
/* Allow flushing all cache on m68k (sys_cacheflush) */
/* Allow removing semaphores */
/* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores
and shared memory */
/* Allow locking/unlocking of shared memory segment */
/* Allow turning swap on/off */
/* Allow forged pids on socket credentials passing */
/* Allow setting readahead and flushing buffers on block devices */
/* Allow setting geometry in floppy driver */
/* Allow turning DMA on/off in xd driver */
/* Allow administration of md devices (mostly the above, but some
extra ioctls) */
/* Allow tuning the ide driver */
/* Allow access to the nvram device */
/* Allow administration of apm_bios, serial and bttv (TV) device */
/* Allow manufacturer commands in isdn CAPI support driver */
/* Allow reading non-standardized portions of pci configuration space */
/* Allow DDI debug ioctl on sbpcd driver */
/* Allow setting up serial ports */
/* Allow sending raw qic-117 commands */
/* Allow enabling/disabling tagged queuing on SCSI controllers and sending
arbitrary SCSI commands */
/* Allow setting encryption key on loopback filesystem */
/* Allow the selection of a security context */
best,
Herbert
> Thanks,
> John
>
> On Fri, Aug 15, 2003 at 05:31:45PM +0200, Herbert Pötzl wrote:
> > On Fri, Aug 15, 2003 at 10:18:15AM -0500, John Goerzen wrote:
> > > Hi,
> >
> > Hi John!
> >
> > > I have a program I'm trying to run under a vserver that sets up a
> > > chroot environment and tries to mount /proc under there. Ideally, it
> > > should be allowed to mount the same basic /proc that the master
> > > vserver sees. What is the proper way to allow it to do that? Or,
> > > failing that, to manually do it before the program runs?
> >
> > if you have sufficient priviledges (capabilities) then
> > you'll be able to do a mount -t procfs none /path/to/proc within
should read mount -t proc none /path/to/proc
^^^^
> > the vserver ...
> >
> > HTH,
> > Herbert
> >
> > > Thanks,
> > > John