[systemd-devel] logind vs CAP_SYS_ADMIN-lessness

Christian Seiler christian at iwakd.de
Fri Jan 23 06:45:02 PST 2015


Am 2015-01-23 08:29, schrieb Mantas Mikul─Śnas:
> IIRC, the reason for tmpfs on /run/user/* was lack of tmpfs quotas...
> if thats still a problem, maybe there could be one tmpfs at 
> /run/user,
> still preventing users from touching root-only /run?

Yes, that's a good idea. Initially when posting this thread I thought
that there just had to be a trade-off between dropping CAP_SYS_ADMIN
(and making it more difficult to escape the container), and a user
inside the container DOSing the container by filling up /run.

But with your idea, I can at least separate /run/user from /run
itself (the same way mode=1777 /run/lock is a separate tmpfs already)
by just a simple static mount entry for the container.

Thanks for bringing this up!

Christian



More information about the systemd-devel mailing list