[Lxc-users] dropping capabilities
Trent W. Buck
twb at cybersource.com.au
Mon Dec 6 03:23:54 UTC 2010
richard -rw- weinberger
<richard.weinberger at gmail.com> writes:
> I'm using lxc to run a few virtual private servers.
> What capabilities are harmful and should be dropped using "lxc.cap.drop"?
FWIW...
Running 10.04 both as the "dom0" and in the containers, I am dropping
the following capabilities. Basically I started by dropping ALL
capabilities, then twiddled individual caps until <things> worked
again -- which you can see in the commented-out lines.
The "root_squash" ones are a bit like NFS root_squash, which treats root:root
as nobody:nogroup. They basically broke a lot of "apt-get install foo"
postinst scripts.
I get around upstart wanting sys_admin by adding lxc.mount.entry lines
for proc and sys, and diverting mount/umount/swapon/swapoff and
symlinking them to /bin/true within the guest. The main reason I did
that was to prevent / being mount -o remount,ro by
/etc/init.d/umountnfs during halt.
bad_caps=(
# chown net_admin setgid # getty or login
# net_bind_service net_raw net_broadcast # dhclient
# setuid # rsyslog
# sys_chroot # openssh-server
# fowner dac_override dac_read_search # lots of things (like root_squash)
audit_control audit_write fsetid ipc_lock ipc_owner kill lease
linux_immutable mac_admin mac_override mknod setfcap setpcap
sys_admin sys_boot sys_module sys_nice sys_pacct sys_ptrace
sys_rawio sys_resource sys_time sys_tty_config )
More information about the lxc-users
mailing list