[systemd-devel] logind vs CAP_SYS_ADMIN-lessness
Lennart Poettering
lennart at poettering.net
Thu Jan 22 18:04:37 PST 2015
On Thu, 22.01.15 15:53, Christian Seiler (christian at iwakd.de) wrote:
> Nevertheless, I think it would be great if this could also be fixed,
> because you never know what other applications people might come up
> with.
>
> The solution would probably be to just add a code path to chown
> the directory instead of mounting a tmpfs on top of it. That doesn't
> separate users from root inside the container quite as much, but in
> containers without CAP_SYS_ADMIN, I think that's a trade-off that's
> worth making.
>
> What do you think?
Yeah, I agree. If we cannot mount the tmpfs due to EPERM we should add
a fallback to use a simple directory instead. Would be happy to take a
patch for that.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list