On 06/01/2014 05:13 PM, Daniel Baumann wrote: > On 06/02/2014 12:06 AM, John Goerzen wrote: >> Everything I have read says one must use either AppArmor or user >> namespaces to make it secure. > > or, like i said, you can r/o mount certain pseudo-fs and drop a bunch of > capabilities, like lxc-debconfig in lxc-stuff does by default (and > lxc-debian in debians lxc did until i've been told to not touch the > upstream debian template).
The debconfig template is indeed a lot better. I would suggest: 1) It be included in lxc itself. 2) It be documented in lxc-create(1) as the preferred way to create a Debian environment 3) It be documented in /usr/share/doc/lxc/README.Debian and /usr/share/doc/lxc-stuff/README as the preferred way to create a Debian environment Better yet, the "debian" template should be warned as insecure by default, which it is. John -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
