CHCONTEXT(8) - Linux man page online | Administration and privileged commands
Chcontext allocates a new security context and executes a command in that context.
chcontext(8) System Administration chcontext(8)
Klavs Klavsen <@vsen.dk> 0.1.0 chcontext(8)
NAMEchcontext - chcontext allocates a new security context and executes a command in that con‐ text.
SYNTAXchcontext [options] <command arguments>
DESCRIPTIONchcontext allocates a new security context and executes a command in that context. By default, a new/unused context is allocated
OPTIONS--cap CAP_NAME Add a capability from the command. This option may be repeated several time. See /usr/include/linux/capability.h In general, this option is used with the --secure option. --secure removes most critical capabilities and --cap adds specific ones. --cap !CAP_NAME Remove a capability from the command. This option may be repeated several time. See /usr/include/linux/capability.h --ctx num Select the context. Only root in context 0 is allowed to select a specific context. Context number 1 is special. It can see all processes in any contexts, but can't kill them though. --disconnect Start the command in background and make the process a child of process 1. --domainname new_domainname Set the domainname (NIS) in the new security context. Use "none" to unset the domainname. --flag Set one flag in the new or current security context. The following flags are sup‐ ported. The option may be used several time. lock: The new process is trapped and can't use chcontext anymore. sched: The new process and its children will share a common execution priority. nproc: Limit the number of process in the vserver according to ulimit setting. Normally, ulimit is a per user thing. With this flag, it becomes a per vserver thing. private: No one can join this security context once created. --hostname new_hostname Set the hostname in the new security context. This is needed because if you create a less privileged security context, it may be unable to change its hostname. --secure Remove all the capabilities to make a virtual server trustable. --silent Do not print the allocated context number. Information about context is found in /proc/self/status
EXAMPLES# You must be root, running X. # We start an xterm in another security context /usr/sbin/chcontext xterm & # We check, there is no xterm running, yet we can # see it. ps ax | grep xterm # Are we running in security context 0 # We check the s_context line in /proc/self/status cat /proc/self/status # Ok we in security context 0 # Try the security context 1 /usr/sbin/chcontext --ctx 1 ps ax | grep xterm # Ok, we see the xterm, we try to kill it /usr/sbin/chcontext --ctx 1 killall xterm # No, security context 1 can see, but can't kill # let's find out in which security con‐ text this # xterm is running /usr/sbin/chcontext --ctx 1 ps ax | grep xterm # Ok, this is PID XX. We need the security context /usr/sbin/chcontext --ctx 1 cat /proc/XX/status # We see the s_context, this is SS. # We want to kill this process /usr/sbin/chcontext --ctx SS killall xterm Please contribute some, if you feel it's important.
AUTHORSThis Man page was written by Klavs Klavsen <@vsen.dk> and based upon the helpful output from the program itself and the documentation on the Virtual Server site <http://www.solu‐ corp.qc.ca/miscprj/s_context.hc?prjstate=1&nodoc=0>
SEE ALSOchbind(8) rebootmgr(8) reducecap(8) vps(8) vpstree(8) vrpm(8) vserver(8) vserver-stat(8) vtop(8)
|This manual||Reference||Other manuals|
|chcontext(8)||referred by||chbind(8) | reducecap(8) | vhtop(8) | viotop(8) | vps(8) | vpstree(8) | vrpm(8) | vserver(8) | vserver-build(8) | vserver-stat(8) | vtop(8)|
|refer to||chbind(8) | reducecap(8) | vps(8) | vpstree(8) | vrpm(8) | vserver(8) | vserver-stat(8) | vtop(8)|