[systemd-devel] logind vs CAP_SYS_ADMIN-lessness
Christian Seiler
christian at iwakd.de
Fri Jan 23 06:45:02 PST 2015
Am 2015-01-23 08:29, schrieb Mantas Mikulėnas:
> IIRC, the reason for tmpfs on /run/user/* was lack of tmpfs quotas...
> if thats still a problem, maybe there could be one tmpfs at
> /run/user,
> still preventing users from touching root-only /run?
Yes, that's a good idea. Initially when posting this thread I thought
that there just had to be a trade-off between dropping CAP_SYS_ADMIN
(and making it more difficult to escape the container), and a user
inside the container DOSing the container by filling up /run.
But with your idea, I can at least separate /run/user from /run
itself (the same way mode=1777 /run/lock is a separate tmpfs already)
by just a simple static mount entry for the container.
Thanks for bringing this up!
Christian
More information about the systemd-devel
mailing list