User`s guide

ManualsBrandsParallels ManualsSoftwareServer 4 Bare Metal SE, ESD, w/PVA, MNT, 1Y, PltSup, ENG

171

172

173

174

175

176

177

178

179

180

Advanced Tasks 177

Linux-Specific Capabilities

Name Description Default

setpcap

Transfer any capability in your permitted set to any process ID;

remove any capability in your permitted set from any process

ID.

off

linux_immutable

Allows the modification of the S_IMMUTABLE and S_APPEND

file attributes. These attributes are implemented only for the

EXT2FS and EXT3FS Linux file systems and, as such, this

capability has no effect for Containers running on top of VZFS.

However, if you bind mount a directory located on the EXT2FS

or EXT3FS file system into a Container and revoke this

capability, the root user inside the Container will not be able to

delete or truncate files with these attributes on.

net_bind_service

Allows to bind to sockets with numbers below 1024. on

net_broadcast

Allows network broadcasting and multicast access. on

net_admin

Allows the administration of IP firewalls and accounting. off

net_raw

Allows to use the RAW and PACKET sockets. on

ipc_lock

Allows to lock shared memory segments and

mlock/mlockall calls.

ipc_owner

Overrides IPC ownership checks. on

sys_module

Insert and remove kernel modules. Be very careful with setting

this capability on for a Container; if a user has the permission of

inserting kernel modules, this user has essentially full control

over the server.

off

sys_rawio

Allows to create VZFS symlinks over VZFS. off

sys_chroot

Allows to use chroot().

sys_ptrace

Allows to trace any process. on

sys_pacct

Allows to configure process accounting. on

sys_admin

In charge of many system administrator tasks such as swapping,

administering APM BIOS, and so on. Shall be set to off for

Containers.

off

sys_boot

This capability currently has no effect on the Container

behaviour.

sys_nice

Allows to raise priority and to set priority for other processes. on

sys_resource

Override resource limits (do not confuse with user

beancounters).

sys_time

Allows to change the system time. off

sys_tty_config

Allows the configuration of TTY devices. on

mknod

Allows the privileged aspects of mknod().

lease

Allows to take leases of files. on