User Tools

Site Tools


ironpenguin:prerequisits

before you begin

Naturally, the first step is to upgrade to the IronPenguin kernel in the usual way.

To make full use of capabilities requires fscaps which, in turn, requires the filesystem to be mointed with the user_xattr option. For the usual case of an ext2 or ext3 filesystem, tune2fs can be used to enable mount options by default. To enable user_xattr and acl (acl is not required, but suggested), do the following for every filesystem on the machine (where xxx is the relevant block device):

tune2fs -o +user_xattr,+acl /dev/xxx

After that, either reboot or (for every filesystem currently mounted):

mount -oremount,user_xattr,acl /

In the event that only jails are desired, this step can (but shouldn't) be skipped.

User utils

Next, to take advantage of the new functionality, you will need to install the user utilities. This procedure will differ depending on the base distro you're using. Debian packages and RPMs will be posted shortly. If all else fails, the source may be downloaded, built, and installed.

Audit

Next, locate all setuid-root binaries on the system using something like

find / -type f -perm +04000

For each file identified, it is necessary to decide if it REALLY needs to be setuid-root or if simply forcing one or 2 capabilities would suffice. Note that if you intend to remove default capabilities from root later, for cases where full setuid-root IS called for, it will be necessary to force all capabilities.

Use fcap to set the desired forced and allowed capabilities, then chmod (and perhaps chown) to remove setuid (unless setuid is necessary).

The setup and use of jails is beyond the scope of this page and will be covered here.

ironpenguin/prerequisits.txt · Last modified: 2010/04/15 21:18 (external edit)