debian man page for compartment

COMPARTMENT(1)						      General Commands Manual						    COMPARTMENT(1)

NAME
       compartment - secure program/service wrapper

SYNOPSIS
       compartment [--cap CAPSET] [--chroot PATH] [--user USER] [--group GROUP] [--init PROGRAM] [--verbose] [--quiet] [--fork] /full/path/to/pro-
       gram

DESCRIPTION
       The Secure Compartment was designed to allow safe execution of priviliged and/or untrusted executables and services.  It has got  all  fea-
       tures possible included, which can be used to minimize the risk of a trojanized or vulnerable program/service.

COMMANDLINE OPTIONS
       --cap CAPSET
	      sets the defined CAPABILITY for the process.  See the README file and the section LIMITATIONS for more information and examples.

       --chroot PATH
	      chroots to the PATH defined. It has to be a valid chroot environment.  See the README file for more information and examples.

       --user USER
	      runs the program with uid/euid of USER

       --group GROUP
	      runs the program with gid/egid of GROUP

       --init PROGRAM
	      runs PROGRAM before running the untrusted program/service, e.g. to build a chroot environment

       --verbose
	      prints detailled information what compartment does.

       --quit does not print syslog information about the use of compartment

       --fork forks if everything was set up correctly, mother process will exit.

FEATURES
       Linux Capabilities

       supports all Linux capabilites
	      (see /usr/include/linux/capability.h and the README file)

       Chrooting

       supports a chroot setup

       Privileges

       supports running with defined user and/or group privileges

       Setup Scripts

       supports running of initial scripts
	      before running a program/service, e.g. to build a chroot environment.

LIMITATIONS
       Currently  the  kernel  does not allow capabilities on processes which are not running with euid 0. Therefore compartment will exit with an
       error if --user and --cap is used together.

       Please note that this will change for the 2.4 kernel.

BUGS
       No bugs are currently known

AUTHOR
       Marc Heuse <marc@suse.de>

DISTRIBUTION
       compartment is part of the SuSE Linux Distribtution since 7.0 so it can be downloaded as an RPM file from the SuSE FTP servers. It can also
       be downloaded as a .tar.gz file from http://www.suse.de/~marc

       It has been also part of the Debian GNU/Linux distribution since just after woody (Debian 3.0)

LICENCE
       This  program  is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by
       the Free Software Foundation; Version 2.

       This program is distributed in the hope that it will be useful, but WITHOUT ANY	WARRANTY;  without  even  the  implied	warranty  of  MER-
       CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

SEE ALSO
       capset (2), chroot (1), chroot (2)

																    COMPARTMENT(1)