--- compartment-1.1.0.orig/compartment.1
+++ compartment-1.1.0/compartment.1
@@ -12,7 +12,7 @@
.SH DESCRIPTION
The
-.I SuSE Secure Compartment
+.I Secure Compartment
was designed to allow safe execution of priviliged and/or untrusted executables and services.
It has got all features possible included, which can be used to minimize the risk of a trojanized or vulnerable program/service.
@@ -107,6 +107,9 @@
an RPM file from the SuSE FTP servers. It can also be downloaded as a .tar.gz
file from
.I http://www.suse.de/~marc
+.PP
+It has been also part of the Debian GNU/Linux distribution since just
+after woody (Debian 3.0)
.SH LICENCE
.Sp
@@ -125,4 +128,4 @@
.I chroot
(1),
.I chroot
-(2)
\ No newline at end of file
+(2)
--- compartment-1.1.0.orig/Makefile
+++ compartment-1.1.0/Makefile
@@ -1,24 +1,30 @@
CC=gcc
OPTS=-Wall -O2
-BIN_DIR=/usr/sbin
+PREFIX=/usr
+BIN_DIR=${PREFIX}/sbin
BIN_LIST=compartment
-DOC_DIR=/usr/doc/packages/compartment
+DOC_DIR=${PREFIX}/doc/packages/compartment
DOC_LIST=README LICENCE CHANGES TODO
-MAN_DIR=/usr/share/man/man1
+MAN_DIR=${PREFIX}/share/man/man1
MAN_LIST=compartment.1
all: compartment
compartment: compartment.c
${CC} ${OPTS} -o ${BIN_LIST} compartment.c
- strip ${BIN_LIST}
+# strip ${BIN_LIST}
clean:
rm -f ${BIN_LIST} core *~
-install: compartment
+install: install-doc install-bin
+
+install-bin: compartment
install -o root -g root -m 751 ${BIN_LIST} ${BIN_DIR}
+
+install-doc:
install -d -o root -g root -m 755 ${DOC_DIR}
install -o root -g root -m 644 ${DOC_LIST} ${DOC_DIR}
install -d -o root -g root -m 755 ${MAN_DIR}
install -o root -g root -m 644 ${MAN_LIST} ${MAN_DIR}
+
--- compartment-1.1.0.orig/compartment.c
+++ compartment-1.1.0/compartment.c
@@ -35,7 +35,7 @@
#include <sys/time.h>
#include <sys/resource.h>
-#define PROGRAM_NAME "SuSE secure compartment"
+#define PROGRAM_NAME "Secure compartment"
#define VERSION "v1.1"
#define AUTHOR "Marc Heuse <marc@suse.de>"
#define POINTER "http://www.suse.de/~marc"
@@ -43,16 +43,16 @@
char *_env[] = { "HOME=/", "COMPARTMENT=YES", "PATH=/bin:/usr/bin:/", "" };
-int cap_set_no[29] = {
+int cap_set_no[28] = {
CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_DAC_READ_SEARCH,CAP_FOWNER,CAP_FSETID,
- CAP_FS_MASK,CAP_KILL,CAP_SETGID,CAP_SETUID,CAP_SETPCAP,CAP_LINUX_IMMUTABLE,
+ CAP_KILL,CAP_SETGID,CAP_SETUID,CAP_SETPCAP,CAP_LINUX_IMMUTABLE,
CAP_NET_BIND_SERVICE,CAP_NET_BROADCAST,CAP_NET_ADMIN,CAP_NET_RAW,CAP_IPC_LOCK,
CAP_IPC_OWNER,CAP_SYS_MODULE,CAP_SYS_RAWIO,CAP_SYS_CHROOT,CAP_SYS_PTRACE,
CAP_SYS_PACCT,CAP_SYS_ADMIN,CAP_SYS_BOOT,CAP_SYS_NICE,CAP_SYS_RESOURCE,
CAP_SYS_TIME,CAP_SYS_TTY_CONFIG, 0 };
-char cap_set_names[29][29] = {
+char cap_set_names[28][29] = {
"CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_DAC_READ_SEARCH","CAP_FOWNER","CAP_FSETID",
- "CAP_FS_MASK","CAP_KILL","CAP_SETGID","CAP_SETUID","CAP_SETPCAP",
+ "CAP_KILL","CAP_SETGID","CAP_SETUID","CAP_SETPCAP",
"CAP_LINUX_IMMUTABLE","CAP_NET_BIND_SERVICE","CAP_NET_BROADCAST",
"CAP_NET_ADMIN","CAP_NET_RAW","CAP_IPC_LOCK","CAP_IPC_OWNER","CAP_SYS_MODULE",
"CAP_SYS_RAWIO","CAP_SYS_CHROOT","CAP_SYS_PTRACE","CAP_SYS_PACCT",
@@ -74,18 +74,7 @@
void help() {
fprintf(stderr, "%s %s %s %s\n\n", PROGRAM_NAME, VERSION, AUTHOR, POINTER);
fprintf(stderr, "Syntax: %s [options] /full/path/to/program\n", prg);
- fprintf(stderr, "Options:
-\t --chroot path\t chroot to path
-\t --user user\t change uid to this user
-\t --group group\t change gid to this group
-\t --init program\t execute this program/script before doing anything
-\t --cap capset\t set capset name. This option can be used several times.
-\t --verbose\t be verbose
-\t --quiet\t do no logging (to syslog)
-\t --fork\t\t fork (if everything is fine)
-\nHints: always try to chroot; use --user&group if possible; chroot and chown all
-files to another user than root if you use capabilties. Read the README file!
-\nKnown capset names: none");
+ fprintf(stderr, "Options:\n\t --chroot path\t chroot to path\n\t --user user\t change uid to this user\n\t --group group\t change gid to this group\n\t --init program\t execute this program/script before doing anything\n\t --cap capset\t set capset name. This option can be used several times.\n\t --verbose\t be verbose\n\t --quiet\t do no logging (to syslog)\n\t --fork\t\t fork (if everything is fine)\n\nHints: always try to chroot; use --user&group if possible; chroot and chown all\nfiles to another user than root if you use capabilties. Read the README file!\n\nKnown capset names: none");
tmp = 0;
while(strlen(cap_set_names[tmp])>0)
fprintf(stderr," %s",cap_set_names[tmp++]);
@@ -173,11 +162,11 @@
help();
my_secure();
- openlog("SuSEcompartment", LOG_PID, LOG_DAEMON);
+ openlog("compartment", LOG_PID, LOG_DAEMON);
if (sizeof(uid_t) == 4) {
- (unsigned long int) uidrange = 65535;
+ uidrange = 65535;
} else { if (sizeof(uid_t) == 8) {
- (unsigned long int) uidrange = (unsigned long int) 2147483646; //4294967295;
+ uidrange = (unsigned long int) 2147483646; //4294967295;
} else
fprintf(stderr, "Warning: weird uid size: %d\n", sizeof(uid_t));
}
@@ -418,11 +407,7 @@
if (access(_argv[0], X_OK) < 0)
print_msg("Execute bit missing, or no permissions to execute %s\n", _argv[0]);
else
- print_msg("Could not properly execute %s - the chroot environment might not be
-set up correctly:
-Create the directories /etc and /lib in chroot_dir and run \"ldd %s\"
-to see which libraries are needed. Copy these to chroot_dir/lib, then chdir to
-chroot_dir and execute \"ldconfig -X -r .\"\n", _argv[0], _argv[0]);
+ print_msg("Could not properly execute %s - the chroot environment might not be\nset up correctly:\nCreate the directories /etc and /lib in chroot_dir and run \"ldd %s\"\nto see which libraries are needed. Copy these to chroot_dir/lib, then chdir to\nchroot_dir and execute \"ldconfig -X -r .\"\n", _argv[0], _argv[0]);
}
return 1;
![[patchlogo]](http://patch-tracker.debian.org/static/img/swirlpatch.png)