User`s guide

ManualsBrandsParallels ManualsSoftwareServer 4 Bare Metal SE, ESD, w/PVA, MNT, 1Y, PltSup, ENG

171

172

173

174

175

176

177

178

179

180

Advanced Tasks 176

[root@ct101 root]# ls -l

total 3

-rwxrwxrwx 1 root root 1252 Oct 29 23:56 passwd

-rwxrwxrwx 1 root root 823 Oct 29 23:56 shadow

While there is no easy way to substitute the password files on the server, a malicious Container

administrator could run a dictionary attack against the obtained files.

Available Capabilities for Container

This section lists all the capabilities that can be set with the <pctl> command. The capabilities

are divided into two tables: the capabilities defined by the POSIX draft standard and Linux-

specific capabilities. For each capability, its description is given together with the default value

for a Container.

Please note that it is easy to create a non-working Container or compromise your server security

by setting capabilities incorrectly. Do not change any capability for a Container without a full

understanding of what this capability can lead to.

Capabilities Defined by POSIX Draft

Name Description Default

chown

If a process has this capability set on, it can change ownership on

the files not belonging to it or belonging to another user. You

have to set this capability on to allow the Container root user to

change ownership on files and directories inside the Container.

dac_override

This capability allows to access files even if the permission is set

to disable access. Normally leave this on to let the Container root

access files even if the permission does not allow it.

dac_read_search

Overrides restrictions on reading and searching for files and

directories. The explanation is almost the same as above with the

sole exclusion that this capability does not override executable

restrictions.

fowner

Overrides restrictions on setting the S_ISUID and S_ISGID bits

on a file requiring that the effective user ID and effective group

ID of the process shall match the file owner ID.

fsetid

Used to decide between falling back on the old suser() or

fsuser().

kill

Allows sending signals to processes owned by other users. on

setgid

Allows group ID manipulation and forged group IDs on socket

credentials passing.

setuid

Allows user ID manipulation and forged user IDs on socket

credentials passing.