Quoting Ferenc Wagner (wf...@niif.hu):
> Daniel Lezcano writes:
>
> > The lxc tools can be run as non-root with all the needed capabilities
> > set by lxc-setcap via the file capabilities. The command run by lxc
> > won't have these privileges of course.
>
> I've always regarded such setups as a
Quoting Greg Kurz (gk...@fr.ibm.com):
> On Thu, 2010-07-01 at 10:58 -0500, Serge E. Hallyn wrote:
> > 3. instead of keeping caps in pP and raising in pE when needed,
> > a more privilege-separated approach could be used, where you
> > have small privileged helpers which are called by the unprivileg
Daniel Lezcano writes:
> The lxc tools can be run as non-root with all the needed capabilities
> set by lxc-setcap via the file capabilities. The command run by lxc
> won't have these privileges of course.
I've always regarded such setups as a root shell by design, as it lets
any user mount a fi
On Thu, 2010-07-01 at 10:58 -0500, Serge E. Hallyn wrote:
> 3. instead of keeping caps in pP and raising in pE when needed,
> a more privilege-separated approach could be used, where you
> have small privileged helpers which are called by the unprivileged
> main program. In this case, lxc-start wo
