Scroll to navigation

COMPARTMENT(1) General Commands Manual COMPARTMENT(1)

NAME

compartment - secure program/service wrapper

SYNOPSIS

compartment [--cap CAPSET] [--chroot PATH] [--user USER] [--group GROUP] [--init PROGRAM] [--verbose] [--quiet] [--fork] /full/path/to/program

DESCRIPTION

The Secure Compartment was designed to allow safe execution of priviliged and/or untrusted executables and services. It has got all features possible included, which can be used to minimize the risk of a trojanized or vulnerable program/service.

COMMANDLINE OPTIONS

--cap CAPSET
sets the defined CAPABILITY for the process. See the README file and the section LIMITATIONS for more information and examples.
--chroot PATH
chroots to the PATH defined. It has to be a valid chroot environment. See the README file for more information and examples.
--user USER
runs the program with uid/euid of USER
--group GROUP
runs the program with gid/egid of GROUP
--init PROGRAM
runs PROGRAM before running the untrusted program/service, e.g. to build a chroot environment
--verbose
prints detailled information what compartment does.
--quit
does not print syslog information about the use of compartment
--fork
forks if everything was set up correctly, mother process will exit.

FEATURES

Linux Capabilities
supports all Linux capabilites
(see /usr/include/linux/capability.h and the README file)
Chrooting
supports a chroot setup
Privileges
supports running with defined user and/or group privileges
Setup Scripts
supports running of initial scripts
before running a program/service, e.g. to build a chroot environment.

LIMITATIONS

Currently the kernel does not allow capabilities on processes which are not running with euid 0. Therefore compartment will exit with an error if --user and --cap is used together.
Please note that this will change for the 2.4 kernel.

BUGS

No bugs are currently known

AUTHOR

Marc Heuse <marc@suse.de>

DISTRIBUTION

compartment is part of the SuSE Linux Distribtution since 7.0 so it can be downloaded as an RPM file from the SuSE FTP servers. It can also be downloaded as a .tar.gz file from http://www.suse.de/~marc
It has been also part of the Debian GNU/Linux distribution since just after woody (Debian 3.0)

LICENCE

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; Version 2.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

SEE ALSO

capset (2), chroot (1), chroot (2)