Quoting Ferenc Wagner (wf...@niif.hu):
> Daniel Lezcano writes:
>
> > The lxc tools can be run as non-root with all the needed capabilities
> > set by lxc-setcap via the file capabilities. The command run by lxc
> > won't have these privileges of course.
>
> I've always regarded such setups as a
Quoting Greg Kurz (gk...@fr.ibm.com):
> On Thu, 2010-07-01 at 10:58 -0500, Serge E. Hallyn wrote:
> > 3. instead of keeping caps in pP and raising in pE when needed,
> > a more privilege-separated approach could be used, where you
> > have small privileged helpers which are called by the unprivileg
Daniel Lezcano writes:
> The lxc tools can be run as non-root with all the needed capabilities
> set by lxc-setcap via the file capabilities. The command run by lxc
> won't have these privileges of course.
I've always regarded such setups as a root shell by design, as it lets
any user mount a fi
On Thu, 2010-07-01 at 10:58 -0500, Serge E. Hallyn wrote:
> 3. instead of keeping caps in pP and raising in pE when needed,
> a more privilege-separated approach could be used, where you
> have small privileged helpers which are called by the unprivileged
> main program. In this case, lxc-start wo
Haven't looked closely enough yet, but a few comments:
1. mount/umount make up a lot of the privileged calls, and
at some point these will hopefully be supported unprivileged
(at least for bind mounts).
2. one nice bonus of this is that we can easily spot where
priv is expected to be used
3. ins
On Thu, 2010-07-01 at 17:47 +0200, Ferenc Wagner wrote:
> Daniel Lezcano writes:
>
> > "... If you can't permanently give up the privilege, then you can at
> > least temporarily drop the privilege as often as possible. [...]
> > Many attacks only work if they trick the privileged program into d
Daniel Lezcano writes:
> "... If you can't permanently give up the privilege, then you can at
> least temporarily drop the privilege as often as possible. [...]
> Many attacks only work if they trick the privileged program into doing
> something unintended while its privileges are enabled (for e
