compartment - secure program/service wrapper
compartment [--cap CAPSET] [--chroot PATH] [--user USER] [--group
GROUP] [--init PROGRAM] [--verbose] [--quiet] [--fork]
The Secure Compartment was designed to allow safe execution of
priviliged and/or untrusted executables and services. It has got all
features possible included, which can be used to minimize the risk of a
trojanized or vulnerable program/service.
sets the defined CAPABILITY for the process. See the README
file and the section LIMITATIONS for more information and
chroots to the PATH defined. It has to be a valid chroot
environment. See the README file for more information and
runs the program with uid/euid of USER
runs the program with gid/egid of GROUP
runs PROGRAM before running the untrusted program/service, e.g.
to build a chroot environment
prints detailled information what compartment does.
--quit does not print syslog information about the use of compartment
--fork forks if everything was set up correctly, mother process will
supports all Linux capabilites
(see /usr/include/linux/capability.h and the README file)
supports a chroot setup
supports running with defined user and/or group privileges
supports running of initial scripts
before running a program/service, e.g. to build a chroot
Currently the kernel does not allow capabilities on processes which are
not running with euid 0. Therefore compartment will exit with an error
if --user and --cap is used together.
Please note that this will change for the 2.4 kernel.
No bugs are currently known
Marc Heuse <email@example.com>
compartment is part of the SuSE Linux Distribtution since 7.0 so it can
be downloaded as an RPM file from the SuSE FTP servers. It can also be
downloaded as a .tar.gz file from http://www.suse.de/~marc
It has been also part of the Debian GNU/Linux distribution since just
after woody (Debian 3.0)
This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; Version 2.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
capset (2), chroot (1), chroot (2)