1reducecap(8) System Administration reducecap(8)
2
6 reducecap - The reducecap utility is used to lower the capability ceil‐
7 ing of a process and child process.
8
10 reducecap [options] <command arguments>
11
13 The reducecap utility is used to lower the capability ceiling of a
14 process and child process. Even setuid program won't be able to grab
15 more capabilities.
16
18 --secure Removes all dangerous capabilities from the process exe‐
19 cuted.Specificly it removes:
20 CAP_LINUX_IMMUTABLE CAP_NET_BROADCAST CAP_NET_ADMIN, CAP_NET_RAW
21 CAP_IPC_LOCK CAP_IPC_OWNER CAP_SYS_MODULE CAP_SYS_RAWIO
22 CAP_SYS_PACCT CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_NICE
23 CAP_SYS_RESOURCE CAP_SYS_TIME CAP_MKNOD.
24 Leaving the following capabilities: CAP_CHOWN CAP_DAC_OVERRIDE
26 CAP_DAC_READ_SEARCH CAP_FOWNER CAP_FSETID CAP_KILL CAP_SETGID
27 CAP_SETUID CAP_NET_BIND_SERVICE CAP_SYS_CHROOT CAP_SYS_PTRACE
28 CAP_SYS_TTY_CONFIG CAP_LEASE CAP_QUOTACTL
29 --show Shows the current process capabilities.
31 --flag sets the security context flags. The option may be repeated sev‐
33 eral times. Here are the values:
34 lock: The security context can't be changed. The process is
36 trapped in this context. This is generally used for
37 vservers because yoy do not want them to hide in new
38 security context.
39 sched: Each process in a security context contribute (lower) to
41 the general priority of every processes in the context.
42 Mostly, all processes in a security context take as much
43 CPU together as one process not bound to this flag. Said
44 again differently, a vserver having 100 active processes
45 won't get more CPU than another vserver with a single
46 active process.
47 nproc: The "ulimit -u N" setting becomes global to the security
50 context. It means the security context is not allowed to
51 have more than N processes.
52 private: No other processes, even root in security context 0, is
54 allowed to enter this security context. Once a security
55 context is setup with this flag, it is on its own. This
56 also means that root in security context 0 won't be able to
57 kill or interact with those processes.
58 hideinfo: Hides various information in /proc.
60 --LINUX_IMMUTABLE
63 --NET_BIND_SERVICE
65 --NET_BROADCAST
67 --NET_ADMIN
69 --NET_RAW
71 --IPC_LOCK
73 --IPC_OWNER
75 --SYS_MODULE
77 --SYS_RAWIO
79 --SYS_PACCT
81 --SYS_ADMIN
83 --SYS_BOOT
85 --SYS_NICE
87 --SYS_RESOURCE
89 --SYS_TIME
91 --MKNOD
93 All these options remove one capability. These options may be
95 used after the --secure option to remove more capabilities.
96
100 /usr/sbin/reducecap
101
105 # You are not root now # What is the current capability ceiling cat
106 /proc/self/status # The capBset line presents mostly 1s.
107 /usr/sbin/reducecap --secure /bin/sh cat /proc/self/status # The capB‐
108 set now shows many more 0s. # The capEff shows all 0s, you have no
109 privilege now # We su to root su cat /proc/self/status # capEff is much
110 better now, but there are still many 0s # Now we try to see if we are
111 really root tail /var/log/messages # So far so good, we see the content
112 /sbin/ifconfig eth0 /sbin/ifconfig eth0 down # No way, we can't config‐
113 ure the interface. In fact # we have lost most privilege normally
114 assigned to root exit
115 Please contribute some more, if you feel it's important.
117
119 This Man page was written by Klavs Klavsen <kl@vsen.dk> and based upon
120 the helpful output from the program itself and the documentation on the
121 Virtual Server site <http://www.solucorp.qc.ca/miscprj/s_con‐
122 text.hc?prjstate=1&nodoc=0>
123
125 chcontext(8) rebootmgr(8) chbind(8) vps(8) vpstree(8) vrpm(8)
126 vserver(8) vserver-stat(8) vtop(8)
127Klavs Klavsen <kl@vsen.dk> 0.1.0 reducecap(8)