wiki:experiences:igraltist:run-jail
=>  Releases

Current version
Git/Latestdiff: 1.5.6

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
wiki:experiences:igraltist:run-jail [2012/05/13 07:27]
127.0.0.1 (old revision restored)
wiki:experiences:igraltist:run-jail [2012/07/21 22:01]
127.0.0.1 (old revision restored)
Line 1: Line 1:
-[[wiki:​experiences/​igraltist#​rsbac_jail|Back to igraltist'​s experiences/​RSBAC JAIL]]\\ +[[wiki:​experiences/​igraltist#​JAIL|Back to igraltist'​s experiences/​JAIL]]\\
- +
- +
- +
- +
- +
- +
- +
- +
- +
  
 ====== run-jail ====== ====== run-jail ======
-Visit the [[http://hg.kasten-edv.de/​rsbac-tools/​file| mericurial repository]]. +Iam using my own tool to manage ​the RSBAC JAIL.
- +
- +
- +
- +
- +
- +
  
 +See the [[http://​hg.kasten-edv.de/​rsbac-tools/​file| mericurial repository]].
  
  
Line 258: Line 242:
  
 The above example does not run the application in a chroot. It is not restricted to any particular nework interface. And it allows reads and writes to devices, as well as other network protocols than IPv4. The program is allowed to perform setuid(), setgid(), open low network ports (net-bind-service capability) and to send signals to processes which owned by other users (kill capability).Furthermore it is allowed to read sysctl data and to modify (i.e. set) process resource limits. The above example does not run the application in a chroot. It is not restricted to any particular nework interface. And it allows reads and writes to devices, as well as other network protocols than IPv4. The program is allowed to perform setuid(), setgid(), open low network ports (net-bind-service capability) and to send signals to processes which owned by other users (kill capability).Furthermore it is allowed to read sysctl data and to modify (i.e. set) process resource limits.
 +
  
  
Line 295: Line 280:
 or in the init.d file. or in the init.d file.
  
-As example ​use the postfix init script. Modify it like below:+As example use the postfix init script. Modify it like below:
 <code bash> <code bash>
 run-jail pdnsd start-stop-daemon --start --quiet --exec /​usr/​sbin/​pdnsd -- -t -s -d -p /​var/​run/​pdnsd.pid ${PDNSDCONFIG} run-jail pdnsd start-stop-daemon --start --quiet --exec /​usr/​sbin/​pdnsd -- -t -s -d -p /​var/​run/​pdnsd.pid ${PDNSDCONFIG}
Line 301: Line 286:
  
 Then stop and start the service again. Then stop and start the service again.
 +
 +Or just use ping on cmdline:
 +(the optional parameter --show display the full translated command)
 +<code bash>
 +run-jail ping ping heise.de -t 3 --show
 +</​code>​
 +
  
 <​del>​FIXME:​ substitute numeric values into human readable names from ps-jail <​del>​FIXME:​ substitute numeric values into human readable names from ps-jail
Line 306: Line 298:
  
 In rsbac-tools there is a tool ps-jail which display processes are in a jail. In rsbac-tools there is a tool ps-jail which display processes are in a jail.
-Or does a:+<code bash> 
 +ps-jail -h 
 +</​code>​ 
 + 
 +Or do a:
 <code bash> <code bash>
 cat /​proc/​rsbac-info/​jails cat /​proc/​rsbac-info/​jails
//
wiki/experiences/igraltist/run-jail.txt · Last modified: 2012/07/21 22:01 by 127.0.0.1

wiki/experiences/igraltist/run-jail.txt · Last modified: 2012/07/21 22:01 by 127.0.0.1
This website is kindly hosted by m-privacy