Provided by: util-vserver_0.30.216-pre3120-1.4_amd64 bug

NAME

       chcontext  -  chcontext  allocates  a  new security context and executes a command in that
       context.

SYNTAX

       chcontext [options] <command arguments>

DESCRIPTION

       chcontext allocates a new security context and executes a command  in  that  context.   By
       default, a new/unused context is allocated

OPTIONS

       --cap CAP_NAME
              Add  a  capability  from the command. This option may be repeated several time. See
              /usr/include/linux/capability.h In general, this option is used with  the  --secure
              option. --secure removes most critical capabilities and --cap adds specific ones.

       --cap !CAP_NAME
              Remove a capability from the command. This option may be repeated several time. See
              /usr/include/linux/capability.h

       --ctx num
              Select the context. Only root in context 0 is allowed to select a specific context.
              Context  number  1  is special. It can see all processes in any contexts, but can't
              kill them though.

       --disconnect
              Start the command in background and make the process a child of process 1.

       --domainname new_domainname
              Set the domainname (NIS) in the new security context.   Use  "none"  to  unset  the
              domainname.

       --flag Set  one  flag  in  the  new  or  current security context. The following flags are
              supported. The option may be used several time.
                 lock: The new process is trapped and can't use
                       chcontext anymore.
                 sched: The new process and its children will
                        share a common execution priority.
                 nproc: Limit the number of process in the
                        vserver according to ulimit setting.
                        Normally, ulimit is a per user thing.
                        With this flag, it becomes a per vserver
                        thing.
                 private: No one can join this security context
                          once created.

       --hostname new_hostname
              Set the hostname in the new security context.  This is needed because if you create
              a less privileged security context, it may be unable to change its hostname.

       --secure
              Remove all the capabilities to make a virtual server trustable.

       --silent
              Do not print the allocated context number.

       Information about context is found in /proc/self/status

FILES

       /usr/sbin/chcontext

EXAMPLES

       #  You  must  be  root,  running  X.   #  We  start  an  xterm in another security context
       /usr/sbin/chcontext xterm &

       # We check, there is no xterm running, yet we can # see it.  ps ax | grep xterm

       # Are we running in security context 0 # We check the s_context line in  /proc/self/status
       cat /proc/self/status

       #  Ok we in security context 0 # Try the security context 1 /usr/sbin/chcontext --ctx 1 ps
       ax | grep xterm

       # Ok, we see the xterm, we try to kill it /usr/sbin/chcontext --ctx 1 killall xterm

       # No, security context 1 can see, but can't kill  #  let's  find  out  in  which  security
       context this # xterm is running /usr/sbin/chcontext --ctx 1 ps ax | grep xterm

       #  Ok,  this  is  PID  XX.  We  need  the security context /usr/sbin/chcontext --ctx 1 cat
       /proc/XX/status

       # We see the s_context, this is SS.  # We want to kill  this  process  /usr/sbin/chcontext
       --ctx SS killall xterm

       Please contribute some, if you feel it's important.

AUTHORS

       This  Man page was written by Klavs Klavsen <kl@vsen.dk> and based upon the helpful output
       from  the  program  itself  and   the   documentation   on   the   Virtual   Server   site
       <http://www.solucorp.qc.ca/miscprj/s_context.hc?prjstate=1&nodoc=0>

SEE ALSO

       chbind(8)  rebootmgr(8)  reducecap(8) vps(8) vpstree(8) vrpm(8) vserver(8) vserver-stat(8)
       vtop(8)