LinuxGuruz
  • Last 5 Forum Topics
    Replies
    Views
    Last post


The Web Only This Site
  • BOOKMARK

  • ADD TO FAVORITES

  • REFERENCES


  • MARC

    Mailing list ARChives
    - Search by -
     Subjects
     Authors
     Bodies





    FOLDOC

    Computing Dictionary




  • Text Link Ads






  • LINUX man pages
  • Linux Man Page Viewer


    The following form allows you to view linux man pages.

    Command:

    reducecap

    
    
    
    

    SYNTAX

           reducecap [options] <command arguments>
    
    
    

    DESCRIPTION

           The reducecap utility is used to lower the capability ceiling of a pro-
           cess  and child process. Even setuid program won't be able to grab more
           capabilities.
    
    
    

    OPTIONS

           --secure Removes all  dangerous  capabilities  from  the  process  exe-
           cuted.Specificly it removes:
                  CAP_LINUX_IMMUTABLE CAP_NET_BROADCAST CAP_NET_ADMIN, CAP_NET_RAW
                  CAP_IPC_LOCK    CAP_IPC_OWNER    CAP_SYS_MODULE    CAP_SYS_RAWIO
                  CAP_SYS_PACCT    CAP_SYS_ADMIN     CAP_SYS_BOOT     CAP_SYS_NICE
                  CAP_SYS_RESOURCE CAP_SYS_TIME CAP_MKNOD.
    
                  Leaving  the  following capabilities: CAP_CHOWN CAP_DAC_OVERRIDE
                  CAP_DAC_READ_SEARCH CAP_FOWNER  CAP_FSETID  CAP_KILL  CAP_SETGID
                  CAP_SETUID  CAP_NET_BIND_SERVICE  CAP_SYS_CHROOT  CAP_SYS_PTRACE
                  CAP_SYS_TTY_CONFIG CAP_LEASE CAP_QUOTACTL
    
           --show Shows the current process capabilities.
    
           --flag sets the security context flags. The option may be repeated sev-
                  eral times. Here are the values:
    
                  lock:  The  security  context  can't  be changed. The process is
                  trapped        in this  context.  This  is  generally  used  for
                  vservers  because  yoy          do  not want them to hide in new
                  security context.
    
                  sched: Each process in a security context contribute (lower)  to
                  the  general       priority  of  every processes in the context.
                  Mostly, all processes      in a security context  take  as  much
                  CPU  together  as  one process      not bound to this flag. Said
                  again differently, a vserver having       100  active  processes
                  won't  get  more  CPU  than  another  vserver      with a single
                  active process.
    
                  nproc: The "ulimit -u N" setting becomes global to the  security
                  context.  It  means       the security context is not allowed to
                  have more than N processes.
    
                  private: No other processes, even root in security context 0, is
                  allowed  to       enter  this  security context. Once a security
                  context is setup      with this flag, it is  on  its  own.  This
                  also means that root      in security context 0 won't be able to
                  kill or interact with those      processes.
    
                  hideinfo: Hides various information in /proc.
    
           --IPC_OWNER
    
           --SYS_MODULE
    
           --SYS_RAWIO
    
           --SYS_PACCT
    
           --SYS_ADMIN
    
           --SYS_BOOT
    
           --SYS_NICE
    
           --SYS_RESOURCE
    
           --SYS_TIME
    
           --MKNOD
    
                  All these options remove one capability. These  options  may  be
                  used after the --secure option to remove more capabilities.
    
    
    

    FILES

           /usr/sbin/reducecap
    
    
    

    EXAMPLES

           #  You  are  not  root now # What is the current capability ceiling cat
           /proc/self/status   #   The   capBset   line   presents   mostly    1s.
           /usr/sbin/reducecap  --secure /bin/sh cat /proc/self/status # The capB-
           set now shows many more 0s.  # The capEff shows all  0s,  you  have  no
           privilege now # We su to root su cat /proc/self/status # capEff is much
           better now, but there are still many 0s # Now we try to see if  we  are
           really root tail /var/log/messages # So far so good, we see the content
           /sbin/ifconfig eth0 /sbin/ifconfig eth0 down # No way, we can't config-
           ure  the  interface.  In  fact  #  we have lost most privilege normally
           assigned to root exit
    
           Please contribute some more, if you feel it's important.
    
    
    

    AUTHORS

           This Man page was written by Klavs Klavsen <kl@vsen.dk> and based  upon
           the helpful output from the program itself and the documentation on the
           Virtual    Server    site     <http://www.solucorp.qc.ca/miscprj/s_con-
           text.hc?prjstate=1&nodoc=0>
    
    
    

    SEE ALSO

           chcontext(8)   rebootmgr(8)   chbind(8)   vps(8)   vpstree(8)   vrpm(8)
    
  • MORE RESOURCE


  • Linux

    The Distributions





    Linux

    The Software





    Linux

    The News



  • MARKETING






  • Toll Free

webmaster@linuxguruz.com
Copyright © 1999 - 2016 by LinuxGuruz