NAME¶
chcontext - chcontext allocates a new security context and executes a command in
that context.
SYNTAX¶
chcontext [
options] <
command arguments>
DESCRIPTION¶
chcontext allocates a new security context and executes a command in that
context. By default, a new/unused context is allocated
OPTIONS¶
- --cap CAP_NAME
- Add a capability from the command. This option may be repeated several
time. See /usr/include/linux/capability.h In general, this option is used
with the --secure option. --secure removes most critical capabilities and
--cap adds specific ones.
- --cap !CAP_NAME
- Remove a capability from the command. This option may be repeated several
time. See /usr/include/linux/capability.h
- --ctx num
- Select the context. Only root in context 0 is allowed to select a specific
context. Context number 1 is special. It can see all processes in any
contexts, but can't kill them though.
- --disconnect
- Start the command in background and make the process a child of process
1.
- --domainname new_domainname
- Set the domainname (NIS) in the new security context. Use "none"
to unset the domainname.
- --flag
- Set one flag in the new or current security context. The following flags
are supported. The option may be used several time.
lock: The new process is trapped and can't use
chcontext anymore.
sched: The new process and its children will
share a common execution priority.
nproc: Limit the number of process in the
vserver according to ulimit setting.
Normally, ulimit is a per user thing.
With this flag, it becomes a per vserver
thing.
private: No one can join this security context
once created.
- --hostname new_hostname
- Set the hostname in the new security context. This is needed because if
you create a less privileged security context, it may be unable to change
its hostname.
- --secure
- Remove all the capabilities to make a virtual server trustable.
- --silent
- Do not print the allocated context number.
Information about context is found in /proc/self/status
FILES¶
/usr/sbin/chcontext
EXAMPLES¶
# You must be root, running X. # We start an xterm in another security context
/usr/sbin/chcontext xterm &
# We check, there is no xterm running, yet we can # see it. ps ax | grep xterm
# Are we running in security context 0 # We check the s_context line in
/proc/self/status cat /proc/self/status
# Ok we in security context 0 # Try the security context 1 /usr/sbin/chcontext
--ctx 1 ps ax | grep xterm
# Ok, we see the xterm, we try to kill it /usr/sbin/chcontext --ctx 1 killall
xterm
# No, security context 1 can see, but can't kill # let's find out in which
security context this # xterm is running /usr/sbin/chcontext --ctx 1 ps ax |
grep xterm
# Ok, this is PID XX. We need the security context /usr/sbin/chcontext --ctx 1
cat /proc/XX/status
# We see the s_context, this is SS. # We want to kill this process
/usr/sbin/chcontext --ctx SS killall xterm
Please contribute some, if you feel it's important.
AUTHORS¶
This Man page was written by Klavs Klavsen <kl@vsen.dk> and based upon the
helpful output from the program itself and the documentation on the Virtual
Server site
<
http://www.solucorp.qc.ca/miscprj/s_context.hc?prjstate=1&nodoc=0>
SEE ALSO¶
chbind(8) rebootmgr(8)
reducecap(8) vps(8) vpstree(8) vrpm(8) vserver(8)
vserver-stat(8) vtop(8)