On 5/15/15 0:18 , Chris Ridd wrote: > >> On 14 May 2015, at 16:00, Robert Mustacchi <[email protected]> wrote: >> >> On 5/14/15 6:18 , Joe Malcolm wrote: >>> Yes, I figured this was the case - thanks for confirming. I knew it >>> was containerized, but not that it couldn't fork. >>> >>> Out of curiousity, do the SmartOS orchestration tools (vmadm, etc.) >>> expose these additional limitations, such as disabling forking, in >>> some generic way, so they could be applied to non-kvm zones? Well, not >>> being able to fork may not be the most sensible example in general, >>> since that would make most zone applications impossible, but >>> presumably there's a general mechanism down there somewhere. >> >> Yes, this is a part of the general privileges mechanism. If you want to >> deny the entire zone a set of privileges (I wouldn't do this for fork), >> then you can use the vmadm 'limit_priv' property. >> >> However, what you'll find more useful is probably the libc interfaces >> for dropping privileges and the ppriv (http://illumos.org/man/1/ppriv) >> command which will let you make the change for an individual process and >> its children that you launch. > > Would privileges apply to Linux processes running inside an LX branded zone?
Yes, they still apply. If I remember correctly, you'll also see some Linux tools see some of them phrased in terms of Linux capabilities. But you can just as easily use the native ppriv to launch a Linux process in the lx zone as a native process. Robert ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
