[systemd-commits] tmpfiles.d/var.conf
Lennart Poettering
lennart at kemper.freedesktop.org
Thu Nov 20 15:34:36 PST 2014
tmpfiles.d/var.conf | 2 ++
1 file changed, 2 insertions(+)
New commits:
commit 797e7a51cdfb23fa1b90b0a0ea2d5c1c83a739e1
Author: Martin Pitt <martin.pitt at ubuntu.com>
Date: Thu Nov 20 14:37:08 2014 +0100
tmpfiles.d: Create /var/lib/containers
Create /var/lib/containers so that it exists with an appropriate mode. We want
0700 by default so that users on the host aren't able to call suid root
binaries in the container. This becomes a security issue if a user can enter a
container as root, create a suid root binary, and call that from the host.
(This assumes that containers are caged by mandatory access control or are
started as user).
diff --git a/tmpfiles.d/var.conf b/tmpfiles.d/var.conf
index 4b63e41..b4bf3bc 100644
--- a/tmpfiles.d/var.conf
+++ b/tmpfiles.d/var.conf
@@ -18,4 +18,6 @@ f /var/log/btmp 0600 root utmp -
d /var/cache 0755 - - -
d /var/lib 0755 - - -
+d /var/lib/containers 0700 - - -
+
d /var/spool 0755 - - -
More information about the systemd-commits
mailing list