Re: chroot administration
Shaya Potter <spotter@cs.columbia.edu> wrote:
> > > I have written SE Linux policy for administration of a chroot
> > > environment. That allows me to give full root administration
> > > access (ability to create/delete users, kill processes running
> > > under different UIDs, ptrace, etc) to a chroot environment
> > > without giving any access to the rest of the system.
> > Since no one else has apparently said it explictly yet, I have to say
> > that's extremely cool :)
> argh. its so cool that you essentially stole my summer research. :(.
> Does this allow you to create any amount of chroot jails? We are also
> working on making "virtual IPs" that each jail would get. We are also
> working on being able to move the processes while running (w/ network
> connections) from machine to machine w/o needing any state on initial
> machine.
You might want to investiage `security contexts', a new kernel feature
that can be used for virtual IP roots as well as making processes in
one context (even root) not able to see other contexts' processes.
The userland utilities also offer a way to remove Linux's capabilities
(eg, to disallow raw sockets or bypassing filesystem permissions).
http://www.solucorp.qc.ca/miscprj/s_context.hc
--
Sam Vilain, sv@easyspace.com Easyspace: an accredited ICANN
GPG: http://sam.vilain.net/sam.asc registrar & web hosting company
7D74 2A09 B2D3 C30F F78E Have your domain run by techies
278A A425 30A9 05B5 2F13 with a clue. www.easyspace.com
Ambition is the curse of the political class.
- anon.
Reply to: