COMPARTMENT(1)COMPARTMENT(1)NAMEcompartment - secure program/service wrapper
SYNOPSIScompartment [--cap CAPSET] [--chroot PATH] [--user USER] [--group
GROUP] [--init PROGRAM] [--verbose] [--quiet] [--fork]
/full/path/to/program
DESCRIPTION
The SuSE Secure Compartment was designed to allow safe execution of
priviliged and/or untrusted executables and services. It has got all
features possible included, which can be used to minimize the risk of a
trojanized or vulnerable program/service.
COMMANDLINE OPTIONS--cap CAPSET
sets the defined CAPABILITY for the process. See the README
file for more information.
--chroot PATH
chroots to the PATH defined. It has to be a valid chroot envi‐
ronment. See the README file for more information and examples.
--user USER
runs the program with uid/euid of USER
--group GROUP
runs the program with gid/egid of GROUP
--init PROGRAM
runs PROGRAM before running the untrusted program/service, e.g.
to build a chroot environment
--verbose
prints detailled information what compartment does.
--quit does not print syslog information about the use of compartment--fork forks if everything was set up correctly, mother process will
exit.
FEATURES
Linux Capabilities
supports all Linux capabilites
(see /usr/include/linux/capability.h and the README file)
Chrooting
supports a chroot setup
Privileges
supports running with defined user and/or group privileges
Setup Scripts
supports running of initial scripts
before running a program/service, e.g. to build a chroot envi‐
ronment.
BUGS
No bugs are currently known
AUTHOR
Marc Heuse <marc@suse.de>
DISTRIBUTIONcompartment is part of the SuSE Linux Distribtution since 7.0 so it can
be downloaded as an RPM file from the SuSE FTP servers. It can also be
downloaded as a .tar.gz file from http://www.suse.de/~marc
LICENCE
This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; Version 2.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MER‐
CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.
SEE ALSO
capset (2), chroot (1), chroot (2)
COMPARTMENT(1)