[systemd-devel] logind vs CAP_SYS_ADMIN-lessness

Lennart Poettering lennart at poettering.net
Thu Jan 22 18:04:37 PST 2015


On Thu, 22.01.15 15:53, Christian Seiler (christian at iwakd.de) wrote:

> Nevertheless, I think it would be great if this could also be fixed,
> because you never know what other applications people might come up
> with.
> 
> The solution would probably be to just add a code path to chown
> the directory instead of mounting a tmpfs on top of it. That doesn't
> separate users from root inside the container quite as much, but in
> containers without CAP_SYS_ADMIN, I think that's a trade-off that's
> worth making.
> 
> What do you think?

Yeah, I agree. If we cannot mount the tmpfs due to EPERM we should add
a fallback to use a simple directory instead. Would be happy to take a
patch for that.

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list