On Sat, 18 May 2013 18:14:36 -0500
Serge Hallyn <serge.hal...@ubuntu.com> wrote:
 
> > > I do see that for instance feeding a
> > > tar file with malicious /bin/passwd, which templates later run
> > > under a regular chroot, could be just as easy...
> > 
> > I don't really understand what you mean with this...
> 
> In the ubuntu-cloud template we wget a tarball which is the rootfs for
> the container, extract it, then chroot into it and run /bin/passwd to

ah. I misread "/bin/passwd" as "/etc/passwd". Get it now, sorry.

It shows that Kaarles' patch is practically not making anything that is
worse than what other templates already do.

> So long as you mean embed the pub keys into the lxc template, that
> would be great.
> 
> And I think I'll pursue the same for ubuntu-cloud and cirros
> templates.
> 
> > --allow-untrusted in the same shot and you will at no point run
> > anything that has not been cryptographically verified.
> 
> Sounds great - thanks.

Will look at it.

Thanks for the feedback!

-nc

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Reply via email to