Wednesday, 22 September 2010

Список OpenVZ Capabilities для VPS с описанием

Очень долго не мог загуглить сабж. Чисто случайно обнаружил PDF ку с их описанием (очень странно, что SwSoft овой доке за 2006 го они были описаны, а в Parallels овой за 2008 - нет).

chown If a process has this capability set on, it can change ownership on the files not belonging to it or belonging to another user. You have to set this capability on to allow the Virtual Private Server root user to change ownership on files and directories inside the VPS.
default: on

dac_override This capability allows to access files even if the permission is set to disable access. Normally leave this on to let the VPS root access files even if the permission does not allow it.
default: on

dac_read_search Overrides restrictions on reading and searching for files and directories. The explanation is almost the same as above with the sole exclusion that this capability does not override executable restrictions.
default: on

fowner Overrides restrictions on setting the S_ISUID and S_ISGID bits on a file requiring that the effective user ID and effective group ID of the process shall match the file owner ID.
default: on

fsetid Used to decide between falling back on the old suser() or fsuser().
default: on

kill Allows sending signals to processes owned by other users.
default: on

setgid Allows group ID manipulation and forged group IDs on socket
credentials passing.
default: on

setuid Allows user ID manipulation and forged user IDs on socket
credentials passing.
default: on

setpcap Transfer any capability in your permitted set to any process ID; remove any capability in your permitted set from any process
ID.
default: off

linux_immutable Allows the modification of the S_IMMUTABLE and S_APPEND file attributes. These attributes are implemented only for the EXT2FS and EXT3FS Linux file systems and, as such, this capability has no effect for Virtual Private Servers running on top of VZFS. However, if you bind mount a directory located on the EXT2FS or EXT3FS file system into a Virtual Private Server and revoke this capability, the root user inside the VPS will not be able to delete or truncate files with these attributes on.
default: on

net_bind_service Allows to bind to sockets with numbers below 1024.
default: on

net_broadcast Allows network broadcasting and multicast access.
default: on

net_admin Allows the administration of IP firewalls and accounting.
default: off

net_raw Allows to use the RAW and PACKET sockets.
default: on

ipc_lock Allows to lock shared memory segments and mlock/mlockall calls.
default: on

ipc_owner Overrides IPC ownership checks.
default: on

sys_module Insert and remove kernel modules. Be very careful with setting
this capability on for a Virtual Private Server; if a user has the
permission of inserting kernel modules, this user has essentially
full control over the Hardware Node.
default: off

sys_rawio Allows to create VZFS symlinks over VZFS.
default: off

sys_chroot Allows to use chroot().
default: on

sys_ptrace Allows to trace any process.
default: on

sys_pacct Allows to configure process accounting.
default: on

sys_admin In charge of many system administrator tasks such as swapping,
administering APM BIOS, and so on. Shall be set to off for
Virtual Private Servers.
default: off

sys_boot This capability currently has no effect on a VPS behaviour.
default: on

sys_nice Allows to raise priority and to set priority for other processes.
default: on

sys_resource Override resource limits (do not confuse with user
beancounters).
default: on

sys_time Allows to change the system time.
default: off

sys_tty_config Allows the configuration of TTY devices.
default: on

mknod Allows the privileged aspects of mknod().
default: on

lease Allows to take leases of files.
default: on

Источник: www.canadianwebhosting.com/documents/VzLinuxUG.pdf

No comments:

Post a Comment

Note: only a member of this blog may post a comment.