2006/1/19, sukrit <[EMAIL PROTECTED]>: > Is it firstly possible to remove root user from a vserver so as to > secure it? Secondly is there documentation of this? Also, any known side > effects? > > Regards, > Sukrit.D. >
Well, yes and no. No, you can't really prevent *all* processes from having uid==0 (what about vserver enter? you'd want to block it too?). Yes, you can strip enough capabilities to lock down the vserver heavily. Known side effects - things break :) e.g. if you remove CAP_MOUNT you can no longer mount filesystems etc. so programs that expect this feature don't work. I'm usually using a set of bcapabilities like this: CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_FSETID CAP_KILL CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_NET_BIND_SERVICE CAP_SYS_NICE CAP_SYS_RESOURCE plus quota_ctl in ccapabilities. HTH, Grzegorz Nosek _______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
