[systemd-devel] logind vs CAP_SYS_ADMIN-lessness

Mantas Mikulėnas grawity at gmail.com
Thu Jan 22 23:29:19 PST 2015


On Fri, Jan 23, 2015 at 4:04 AM, Lennart Poettering <lennart at poettering.net>
wrote:

> On Thu, 22.01.15 15:53, Christian Seiler (christian at iwakd.de) wrote:
>
> > Nevertheless, I think it would be great if this could also be fixed,
> > because you never know what other applications people might come up
> > with.
> >
> > The solution would probably be to just add a code path to chown
> > the directory instead of mounting a tmpfs on top of it. That doesn't
> > separate users from root inside the container quite as much, but in
> > containers without CAP_SYS_ADMIN, I think that's a trade-off that's
> > worth making.
> >
> > What do you think?
>
> Yeah, I agree. If we cannot mount the tmpfs due to EPERM we should add
> a fallback to use a simple directory instead. Would be happy to take a
> patch for that.
>

IIRC, the reason for tmpfs on /run/user/* was lack of tmpfs quotas... if
that's still a problem, maybe there could be one tmpfs at /run/user, still
preventing users from touching root-only /run?

-- 
Mantas Mikulėnas <grawity at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150123/d2b7ce92/attachment.html>


More information about the systemd-devel mailing list