Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 20190 - new ebuild for compartment - a security tool for running privileged and/or network services in a compartment
Summary: new ebuild for compartment - a security tool for running privileged and/or ne...
Status: RESOLVED LATER
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: The Gentoo Linux Hardened Team
URL: http://www.suse.de/~marc/compartment....
Whiteboard:
Keywords: EBUILD
Depends on:
Blocks:
 
Reported: 2003-04-29 18:08 UTC by sergey ivanov
Modified: 2003-11-08 07:19 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
compartment e-build (compartment-1.1-r0.ebuild,382 bytes, text/plain)
2003-04-29 18:10 UTC, sergey ivanov 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description sergey ivanov 2003-04-29 18:08:08 UTC 
Hi!
There is a new trivial ebuild for compartment in attachment, while compartment
itself is a very interesting security tool for running privileged and/or network
services in a compartment. This tool supports dropping privs to a user and/or
group, chrooting and Linux Capabilities, plus initialization scripts. 

master:/SUSE/develop/compartment/compartment-1.1 #
SuSE secure compartment v1.1 Marc Heuse  http://www.suse.de/~marc

Syntax: ./compartment [options] /full/path/to/program
Options:
         --chroot path   chroot to path
         --user user     change uid to this user
         --group group   change gid to this group
         --init program  execute this program/script before doing anything
         --cap capset    set capset name. This option can be used several times.
         --verbose       be verbose
         --quiet         do no logging (to syslog)
         --fork          fork (if everything is fine)

Hints: always try to chroot; use --user&group if possible; chroot and chown all
files to another user than root if you use capabilties. Read the README file!

Known capset names: none CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER
 CAP_FSETID CAP_FS_MASK CAP_KILL CAP_SETGID CAP_SETUID CAP_SETPCAP
CAP_LINUX_IMMUTABLE
 CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_ADMIN CAP_NET_RAW CAP_IPC_LOCK
 CAP_IPC_OWNER CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_CHROOT CAP_SYS_PTRACE
 CAP_SYS_PACCT CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_NICE CAP_SYS_RESOURCE CAP_SYS_TIME
 CAP_SYS_TTY_CONFIG (see linux/capability.h for more information)
master:/SUSE/develop/compartment/compartment-1.1 #



Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 sergey ivanov 2003-04-29 18:10:31 UTC 
Created attachment 11310 [details]
compartment e-build

I'd propose to place this ebuild in portage/app-admin/ category.
Comment 2 solar (RETIRED) gentoo-dev 2003-10-17 11:53:41 UTC 
Chances are I'll take this bug. I've written alot of software like it so
I'll end up reviewing the source code and the such before taking it on, however
I wont be able to jump into it for a week or so..
Comment 3 solar (RETIRED) gentoo-dev 2003-10-26 21:48:11 UTC 
Hey before I jump into this.. Do we have a few more people that would want
to see this tool in portage?
Comment 4 solar (RETIRED) gentoo-dev 2003-11-08 07:19:24 UTC 
I'd like to thank Sergey for the ebuild contribution, however as nobody is
speaking up for us to support this I'm going to take the liberty and change
the resolution to LATER.