Hi,
I've attached three additional patches for possible improvements to
lxc-attach.
The first two I think should be applied directly, they do the
following:
1) Create a sane fallback to /bin/sh if it is impossible to detect
the container's shell because of incompatible nss implementations
between host and container
2) Detect the user & group id of PID 1 and use that for lxc-attach
instead of root, when attaching to user namespaces.
The third patch I'm not really sure about the security implications of,
so I'm sending it as a draft, but somebody who knows more about the
specifics should look over it.
3) Add -u and -g options to lxc-attach to allow the user to specify
user and group ids to setuid()/setgid() to when attaching.
This feature could be really useful, on the other hand, I have
only ever used lxc running as root (never tried lxc-setcap), so I
have no idea if this could pose a potential security problem or
not. (When running as root, you have all the rights anyway, so
then it's fine.) I'd like some feedback on this before I feel
comfortable signing off on adding these options.
Now if somebody tells me that attach is only possible as root
anyway so far, then I don't have any qualms, but I'd rather be
safe than sorry.
-- Christian
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
