compartment

[marc () SUSE DE (Marc Heuse)]

Hi folks,

I just wanted to announce, that a small but nice tool is available for
testing. It's a program to build secure compartments for running
untrsted/insecure programs, and has got the usual uid/gid setting and
chrooting abilitity, but the nice thing is the easy access to linux per
process capabilities.

e.g. running an anon-ftp or webserver software on a priviliged port chrooted:
"compartment --chroot /chroot/ftp --cap CAP_NET_BIND_SERVICE anon-ftpd"

You can find v0.5 of the compartment utility at http://www.suse.de/~marc

Syntax: compartment [options] /full/path/to/program

Options:
         --chroot path   chroot to path
         --user user     change uid to this user
         --group group   change gid to this group
         --init program  execute this program/script before doing anything
         --cap capset    set capset name. You can specify several capsets.
         --verbose       be verbose
         --quiet         do no logging (to syslog)

I know the following capset names: CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH
CAP_FOWNER CAP_FSETID CAP_FS_MASK CAP_KILL CAP_SETGID CAP_SETUID CAP_SETPCAP
CAP_LINUX_IMMUTABLE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_ADMIN
CAP_NET_RAW CAP_IPC_LOCK CAP_IPC_OWNER CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_CHROOT
CAP_SYS_PTRACE CAP_SYS_PACCT CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_NICE
CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG

Greets,
        Marc

--
   Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
   E@mail: marc () suse de  Function: Security Support & Auditing
   "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka"
Key fingerprint = B5 07 B6 4E 9C EF 27 EE  16 D9 70 D4 87 B5 63 6C