On Sun, Oct 3, 2010 at 9:01 PM, richard -rw- weinberger <richard.weinber...@gmail.com> wrote: > I'm using lxc to run a few virtual private servers. > What capabilities are harmful and should be dropped using "lxc.cap.drop"?
Is my question too trivial or too stupid? ;) Here what i know so far: CAP_AUDIT_CONTROL: should be dropped CAP_AUDIT_WRITE: should be dropped CAP_CHOWN: is ok CAP_DAC_OVERRIDE: is ok CAP_DAC_READ_SEARCH is ok CAP_FOWNER is ok CAP_FSETID is ok CAP_IPC_LOCK is ok CAP_IPC_OWNER is ok CAP_KILL is ok CAP_LEASE is ok CAP_LINUX_IMMUTABLE is ok CAP_MAC_ADMIN should be dropped CAP_MAC_OVERRIDE should be dropped CAP_MKNOD should be dropped CAP_NET_ADMIN is ok CAP_NET_BIND_SERVICE is ok CAP_NET_BROADCAST is ok CAP_NET_RAW ok? CAP_SETGID is ok CAP_SETFCAP should be dropped CAP_SETPCAP should be dropped CAP_SETUID is ok CAP_SYS_ADMIN should be dropped CAP_SYS_BOOT should be dropped CAP_SYS_CHROOT should be dropped CAP_SYS_MODULE should be dropped CAP_SYS_NICE should be dropped CAP_SYS_PACCT should be dropped CAP_SYS_PTRACE is ok CAP_SYS_RAWIO should be dropped CAP_SYS_RESOURCE should be dropped CAP_SYS_TIME should be dropped CAP_SYS_TTY_CONFIG should be dropped Thanks! -- Cheers, //richard ------------------------------------------------------------------------------ Virtualization is moving to the mainstream and overtaking non-virtualized environment for deploying applications. Does it make network security easier or more difficult to achieve? Read this whitepaper to separate the two and get a better understanding. http://p.sf.net/sfu/hp-phase2-d2d _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
