Re: chroot administration
On Wed, 2002-08-14 at 06:50, Sam Vilain wrote:
> Shaya Potter <spotter@cs.columbia.edu> wrote:
>
> > > > I have written SE Linux policy for administration of a chroot
> > > > environment. That allows me to give full root administration
> > > > access (ability to create/delete users, kill processes running
> > > > under different UIDs, ptrace, etc) to a chroot environment
> > > > without giving any access to the rest of the system.
> > > Since no one else has apparently said it explictly yet, I have to say
> > > that's extremely cool :)
> > argh. its so cool that you essentially stole my summer research. :(.
> > Does this allow you to create any amount of chroot jails? We are also
> > working on making "virtual IPs" that each jail would get. We are also
> > working on being able to move the processes while running (w/ network
> > connections) from machine to machine w/o needing any state on initial
> > machine.
>
> You might want to investiage `security contexts', a new kernel feature
> that can be used for virtual IP roots as well as making processes in
> one context (even root) not able to see other contexts' processes.
> The userland utilities also offer a way to remove Linux's capabilities
> (eg, to disallow raw sockets or bypassing filesystem permissions).
yea, I know all about it, but thats a bit more involved than what we
want/need. I looked at that already. Might take another look at it
again later, but it seemed "too much" for our needs, and therefore a
little heavy. debian
Reply to: