Man Linux: Main Page and Category List

NAME

       compartment - secure program/service wrapper

SYNOPSIS

       compartment  [--cap  CAPSET]  [--chroot  PATH]  [--user  USER] [--group
       GROUP]    [--init    PROGRAM]    [--verbose]     [--quiet]     [--fork]
       /full/path/to/program

DESCRIPTION

       The  Secure  Compartment  was  designed  to  allow  safe  execution  of
       priviliged and/or untrusted executables and services.  It has  got  all
       features possible included, which can be used to minimize the risk of a
       trojanized or vulnerable program/service.

COMMANDLINE OPTIONS

       --cap CAPSET
              sets the defined CAPABILITY for the  process.   See  the  README
              file  and  the  section  LIMITATIONS  for  more  information and
              examples.

       --chroot PATH
              chroots to the PATH  defined.  It  has  to  be  a  valid  chroot
              environment.   See  the  README  file  for  more information and
              examples.

       --user USER
              runs the program with uid/euid of USER

       --group GROUP
              runs the program with gid/egid of GROUP

       --init PROGRAM
              runs PROGRAM before running the untrusted program/service,  e.g.
              to build a chroot environment

       --verbose
              prints detailled information what compartment does.

       --quit does not print syslog information about the use of compartment

       --fork forks  if  everything  was set up correctly, mother process will
              exit.

FEATURES

       Linux Capabilities

       supports all Linux capabilites
              (see /usr/include/linux/capability.h and the README file)

       Chrooting

       supports a chroot setup

       Privileges

       supports running with defined user and/or group privileges

       Setup Scripts

       supports running of initial scripts
              before  running  a  program/service,  e.g.  to  build  a  chroot
              environment.

LIMITATIONS

       Currently the kernel does not allow capabilities on processes which are
       not running with euid 0. Therefore compartment will exit with an  error
       if --user and --cap is used together.

       Please note that this will change for the 2.4 kernel.

BUGS

       No bugs are currently known

AUTHOR

       Marc Heuse <marc@suse.de>

DISTRIBUTION

       compartment is part of the SuSE Linux Distribtution since 7.0 so it can
       be downloaded as an RPM file from the SuSE FTP servers. It can also  be
       downloaded as a .tar.gz file from http://www.suse.de/~marc

       It  has  been also part of the Debian GNU/Linux distribution since just
       after woody (Debian 3.0)

LICENCE

       This program is free software; you can redistribute it and/or modify it
       under  the  terms of the GNU General Public License as published by the
       Free Software Foundation; Version 2.

       This program is distributed in the hope that it  will  be  useful,  but
       WITHOUT   ANY   WARRANTY;   without   even   the  implied  warranty  of
       MERCHANTABILITY or FITNESS  FOR  A  PARTICULAR  PURPOSE.  See  the  GNU
       General Public License for more details.

SEE ALSO

       capset (2), chroot (1), chroot (2)