> On 14 May 2015, at 16:00, Robert Mustacchi <[email protected]> wrote: > > On 5/14/15 6:18 , Joe Malcolm wrote: >> Yes, I figured this was the case - thanks for confirming. I knew it >> was containerized, but not that it couldn't fork. >> >> Out of curiousity, do the SmartOS orchestration tools (vmadm, etc.) >> expose these additional limitations, such as disabling forking, in >> some generic way, so they could be applied to non-kvm zones? Well, not >> being able to fork may not be the most sensible example in general, >> since that would make most zone applications impossible, but >> presumably there's a general mechanism down there somewhere. > > Yes, this is a part of the general privileges mechanism. If you want to > deny the entire zone a set of privileges (I wouldn't do this for fork), > then you can use the vmadm 'limit_priv' property. > > However, what you'll find more useful is probably the libc interfaces > for dropping privileges and the ppriv (http://illumos.org/man/1/ppriv) > command which will let you make the change for an individual process and > its children that you launch.
Would privileges apply to Linux processes running inside an LX branded zone? Chris ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
