diff -NurpP linux-2.6.17.3-vs2.1.1-rc25.1.1/include/linux/vserver/context.h linux-2.6.17.3-vs2.1.1-rc25.2/include/linux/vserver/context.h
--- linux-2.6.17.3-vs2.1.1-rc25.1.1/include/linux/vserver/context.h	2006-06-18 05:03:05 +0200
+++ linux-2.6.17.3-vs2.1.1-rc25.2/include/linux/vserver/context.h	2006-07-08 23:23:38 +0200
@@ -42,6 +42,7 @@
 
 #define VXF_STATE_SETUP		(1ULL<<32)
 #define VXF_STATE_INIT		(1ULL<<33)
+#define VXF_STATE_ADMIN		(1ULL<<34)
 
 #define VXF_SC_HELPER		(1ULL<<36)
 #define VXF_REBOOT_KILL		(1ULL<<37)
@@ -52,9 +53,9 @@
 
 #define VXF_IGNEG_NICE		(1ULL<<52)
 
-#define VXF_ONE_TIME		(0x0003ULL<<32)
+#define VXF_ONE_TIME		(0x0007ULL<<32)
 
-#define VXF_INIT_SET		(VXF_STATE_SETUP|VXF_STATE_INIT)
+#define VXF_INIT_SET		(VXF_STATE_SETUP|VXF_STATE_INIT|VXF_STATE_ADMIN)
 
 
 /* context migration */
diff -NurpP linux-2.6.17.3-vs2.1.1-rc25.1.1/include/linux/vserver/network.h linux-2.6.17.3-vs2.1.1-rc25.2/include/linux/vserver/network.h
--- linux-2.6.17.3-vs2.1.1-rc25.1.1/include/linux/vserver/network.h	2006-07-09 00:50:05 +0200
+++ linux-2.6.17.3-vs2.1.1-rc25.2/include/linux/vserver/network.h	2006-07-08 23:27:52 +0200
@@ -16,13 +16,14 @@
 #define NXF_INFO_LOCK		0x00000001
 
 #define NXF_STATE_SETUP		(1ULL<<32)
+#define NXF_STATE_ADMIN		(1ULL<<34)
 
 #define NXF_SC_HELPER		(1ULL<<36)
 #define NXF_PERSISTENT		(1ULL<<38)
 
-#define NXF_ONE_TIME		(0x0001ULL<<32)
+#define NXF_ONE_TIME		(0x0005ULL<<32)
 
-#define NXF_INIT_SET		(0)
+#define NXF_INIT_SET		(NXF_STATE_ADMIN)
 
 
 /* address types */
diff -NurpP linux-2.6.17.3-vs2.1.1-rc25.1.1/kernel/vserver/context.c linux-2.6.17.3-vs2.1.1-rc25.2/kernel/vserver/context.c
--- linux-2.6.17.3-vs2.1.1-rc25.1.1/kernel/vserver/context.c	2006-07-09 00:50:05 +0200
+++ linux-2.6.17.3-vs2.1.1-rc25.2/kernel/vserver/context.c	2006-07-09 00:14:37 +0200
@@ -18,6 +18,7 @@
  *  V0.11  and back to locking again
  *  V0.12  referenced context store
  *  V0.13  separate per cpu data
+ *  V0.14  added lock and admin flags
  *
  */
 
@@ -700,6 +701,9 @@ int vx_set_reaper(struct vx_info *vxi, s
 	if (!vxi)
 		return -EINVAL;
 
+	if (!vx_info_flags(vxi, VXF_STATE_ADMIN, 0))
+		return -EACCES;
+
 	vxdprintk(VXD_CBIT(xid, 6),
 		"vx_set_reaper(%p[#%d],%p[#%d,%d])",
 		vxi, vxi->vx_id, p, p->xid, p->pid);
@@ -720,6 +724,9 @@ int vx_set_init(struct vx_info *vxi, str
 	if (!vxi)
 		return -EINVAL;
 
+	if (!vx_info_flags(vxi, VXF_STATE_ADMIN, 0))
+		return -EACCES;
+
 	vxdprintk(VXD_CBIT(xid, 6),
 		"vx_set_init(%p[#%d],%p[#%d,%d,%d])",
 		vxi, vxi->vx_id, p, p->xid, p->pid, p->tgid);
@@ -932,6 +939,10 @@ int vc_set_cflags(uint32_t id, void __us
 	if (!vxi)
 		return -ESRCH;
 
+	ret = -EACCES;
+	if (!vx_info_flags(vxi, VXF_STATE_ADMIN, 0))
+		goto out_put;
+
 	/* special STATE flag handling */
 	mask = vx_mask_mask(vc_data.mask, vxi->vx_flags, VXF_ONE_TIME);
 	trigger = (mask & vxi->vx_flags) ^ (mask & vc_data.flagword);
@@ -1010,16 +1021,22 @@ static int do_set_caps(xid_t xid, uint64
 	uint64_t ccaps, uint64_t cmask)
 {
 	struct vx_info *vxi;
+	int ret;
 
 	vxi = lookup_vx_info(xid);
 	if (!vxi)
 		return -ESRCH;
 
+	ret = -EACCES;
+	if (!vx_info_flags(vxi, VXF_STATE_ADMIN, 0))
+		goto out_put;
+
 	vxi->vx_bcaps = vx_mask_flags(vxi->vx_bcaps, bcaps, bmask);
 	vxi->vx_ccaps = vx_mask_flags(vxi->vx_ccaps, ccaps, cmask);
-
+	ret = 0;
+out_put:
 	put_vx_info(vxi);
-	return 0;
+	return ret;
 }
 
 int vc_set_ccaps_v0(uint32_t id, void __user *data)
diff -NurpP linux-2.6.17.3-vs2.1.1-rc25.1.1/kernel/vserver/namespace.c linux-2.6.17.3-vs2.1.1-rc25.2/kernel/vserver/namespace.c
--- linux-2.6.17.3-vs2.1.1-rc25.1.1/kernel/vserver/namespace.c	2006-07-09 00:50:05 +0200
+++ linux-2.6.17.3-vs2.1.1-rc25.2/kernel/vserver/namespace.c	2006-07-08 23:39:25 +0200
@@ -7,6 +7,7 @@
  *
  *  V0.01  broken out from context.c 0.07
  *  V0.02  added task locking for namespace
+ *  V0.03  added lock and admin flags
  *
  */
 
diff -NurpP linux-2.6.17.3-vs2.1.1-rc25.1.1/kernel/vserver/network.c linux-2.6.17.3-vs2.1.1-rc25.2/kernel/vserver/network.c
--- linux-2.6.17.3-vs2.1.1-rc25.1.1/kernel/vserver/network.c	2006-07-09 00:50:05 +0200
+++ linux-2.6.17.3-vs2.1.1-rc25.2/kernel/vserver/network.c	2006-07-09 00:28:05 +0200
@@ -10,6 +10,7 @@
  *  V0.03  added equiv nx commands
  *  V0.04  switch to RCU based hash
  *  V0.05  and back to locking again
+ *  V0.06  added lock and admin flags
  *
  */
 
@@ -724,6 +725,7 @@ int vc_set_nflags(uint32_t id, void __us
 	struct nx_info *nxi;
 	struct vcmd_net_flags_v0 vc_data;
 	uint64_t mask, trigger;
+	int ret;
 
 	if (copy_from_user (&vc_data, data, sizeof(vc_data)))
 		return -EFAULT;
@@ -732,6 +734,10 @@ int vc_set_nflags(uint32_t id, void __us
 	if (!nxi)
 		return -ESRCH;
 
+	ret = -EACCES;
+	if (!nx_info_flags(nxi, NXF_STATE_ADMIN, 0))
+		goto out_put;
+
 	/* special STATE flag handling */
 	mask = vx_mask_mask(vc_data.mask, nxi->nx_flags, NXF_ONE_TIME);
 	trigger = (mask & nxi->nx_flags) ^ (mask & vc_data.flagword);
@@ -740,9 +746,10 @@ int vc_set_nflags(uint32_t id, void __us
 		vc_data.flagword, mask);
 	if (trigger & NXF_PERSISTENT)
 		nx_set_persistent(nxi);
-
+	ret = 0;
+out_put:
 	put_nx_info(nxi);
-	return 0;
+	return ret;
 }
 
 int vc_get_ncaps(uint32_t id, void __user *data)
@@ -767,6 +774,7 @@ int vc_set_ncaps(uint32_t id, void __use
 {
 	struct nx_info *nxi;
 	struct vcmd_net_caps_v0 vc_data;
+	int ret;
 
 	if (copy_from_user (&vc_data, data, sizeof(vc_data)))
 		return -EFAULT;
@@ -775,10 +783,16 @@ int vc_set_ncaps(uint32_t id, void __use
 	if (!nxi)
 		return -ESRCH;
 
+	ret = -EACCES;
+	if (!nx_info_flags(nxi, NXF_STATE_ADMIN, 0))
+		goto out_put;
+
 	nxi->nx_ncaps = vx_mask_flags(nxi->nx_ncaps,
 		vc_data.ncaps, vc_data.cmask);
+	ret = 0;
+out_put:
 	put_nx_info(nxi);
-	return 0;
+	return ret;
 }
 
 
diff -NurpP linux-2.6.17.3-vs2.1.1-rc25.1.1/kernel/vserver/signal.c linux-2.6.17.3-vs2.1.1-rc25.2/kernel/vserver/signal.c
--- linux-2.6.17.3-vs2.1.1-rc25.1.1/kernel/vserver/signal.c	2006-06-18 05:03:06 +0200
+++ linux-2.6.17.3-vs2.1.1-rc25.2/kernel/vserver/signal.c	2006-07-08 23:43:07 +0200
@@ -3,7 +3,7 @@
  *
  *  Virtual Server: Signal Support
  *
- *  Copyright (C) 2003-2005  Herbert Pötzl
+ *  Copyright (C) 2003-2006  Herbert Pötzl
  *
  *  V0.01  broken out from vcontext V0.05
  *
@@ -71,9 +71,9 @@ int vx_info_kill(struct vx_info *vxi, in
 
 int vc_ctx_kill(uint32_t id, void __user *data)
 {
-	int retval;
 	struct vcmd_ctx_kill_v0 vc_data;
 	struct vx_info *vxi;
+	int ret;
 
 	if (copy_from_user (&vc_data, data, sizeof(vc_data)))
 		return -EFAULT;
@@ -82,9 +82,14 @@ int vc_ctx_kill(uint32_t id, void __user
 	if (!vxi)
 		return -ESRCH;
 
-	retval = vx_info_kill(vxi, vc_data.pid, vc_data.sig);
+	ret = -EACCES;
+	if (!vx_info_flags(vxi, VXF_STATE_ADMIN, 0) && (vc_data.pid != 1))
+		goto out_put;
+
+	ret = vx_info_kill(vxi, vc_data.pid, vc_data.sig);
+out_put:
 	put_vx_info(vxi);
-	return retval;
+	return ret;
 }