On Wed, 20 Nov 2013 10:57:01 -0600
Serge Hallyn wrote:
> > + lxc_fill_elevated_privileges(NULL, &elevated_privileges);
>
> Note I've applied it as is, and this failure shouldn't ever happen
> anyway, but you're not checking return value of
> lxc_fill_elevated_privileges() here.
Than
Quoting Nikola Kotur (kotn...@gmail.com):
> switch (c) {
> - case 'e': elevated_privileges = 1; break;
> + case 'e':
> + ret = lxc_fill_elevated_privileges(arg, &elevated_privileges);
> + if (ret)
> + return -1;
> + break;
>
Quoting Christian Seiler (christ...@iwakd.de):
> Hi,
>
> assuming this compiles and does the right thing at runtime (I haven't
> had time to test it, but from reading the source it looks fine) and
> as discussed in this thread you will slightly improve it later:
>
> Am 20.11.2013 15:07, schrieb N
On Wed, 20 Nov 2013 16:46:07 +
Christian Seiler wrote:
> assuming this compiles and does the right thing at runtime (I haven't
> had time to test it, but from reading the source it looks fine) and
> as discussed in this thread you will slightly improve it later:
>
> > Signed-off-by: Nikola K
Hi,
assuming this compiles and does the right thing at runtime (I haven't
had time to test it, but from reading the source it looks fine) and
as discussed in this thread you will slightly improve it later:
Am 20.11.2013 15:07, schrieb Nikola Kotur:
> There are scenarios in which we want to execut
On Wed, 20 Nov 2013 15:29:10 +
Christian Seiler wrote:
> Since I added those options back in the day, a bit of a rationale
Thanks for the explanation!
> However, with your patch (which makes sense since my rewrite of the
> API), I think one could give the user the option of not evelating th
Quoting Christian Seiler (christ...@iwakd.de):
> Hi there,
>
> > And if you have a bit of time I'd appreciate if you could explain why
> > should we elevate privileges for attaching to specific namespace?
> > Seems
> > to me that it is unrelated, since I should be able to enter NETWORK
> > ns
>
On Wed, 20 Nov 2013 09:35:51 -0600
Serge Hallyn wrote:
> > > I also notice that currently it seems broken as the manpage says
> > > that -R should imply -e
> >
> > Actually, it's not -R that implies -e, it's the -s option
>
> I was sure I saw a comment about -R implying -e, but I don't see it
>
Quoting Nikola Kotur (kotn...@gmail.com):
> On Tue, 19 Nov 2013 15:48:36 -0600
> Serge Hallyn wrote:
>
> > Quoting Nikola Kotur (kotn...@gmail.com):
> > > There are scenarios in which we want to execute process with
> > > specific privileges elevated.
> >
> > thanks for submitting this patch. No
Hi there,
> And if you have a bit of time I'd appreciate if you could explain why
> should we elevate privileges for attaching to specific namespace?
> Seems
> to me that it is unrelated, since I should be able to enter NETWORK
> ns
> while not elevating cgroup, for example?
Since I added those
On Tue, 19 Nov 2013 15:48:36 -0600
Serge Hallyn wrote:
> Quoting Nikola Kotur (kotn...@gmail.com):
> > There are scenarios in which we want to execute process with
> > specific privileges elevated.
>
> thanks for submitting this patch. No objection overall, however
> there are a few existing pla
Quoting Nikola Kotur (kotn...@gmail.com):
> There are scenarios in which we want to execute process with specific
> privileges elevated.
>
> An example for this might be executing a process inside the container
> securely, with capabilities dropped, but not in container's cgroup so
> that we can h
12 matches
Mail list logo
