| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <511E4B32.3030003@acm.org> Date: Fri, 15 Feb 2013 08:50:26 -0600 From: Corey Minyard <tcminyard@...il.com> To: "Eric W. Biederman" <ebiederm@...ssion.com> CC: Bruno Prémont <bonbons@...ux-vserver.org>, Corey Minyard <cminyard@...sta.com>, containers@...ts.linux-foundation.org, Linux Kernel <linux-kernel@...r.kernel.org> Subject: Re: [PATCH] Move console redirect to pid namespace On 02/14/2013 10:23 PM, Eric W. Biederman wrote: > >>> With recent changes this is tied to the initial user namespace. So the >>> simple solution to this and so many other similiar security problems is >>> to run your container in a user namespace. >>> >>> The permission check currently is capable(CAP_SYS_ADMIN) which requires >>> the caller to have the CAP_SYS_ADMIN in the initial user namespace. >> I'm not sure I follow. Are these changes in k.org, or in another >> repository someplace? > In k.org. 3.7 would work. 3.8-rcX would work even better. > > root in a user namespace does not have permission to call TIOCCONS. Ok, that's good enough for me. I don't have a compelling reason to make it work, beyond liking consistency. Thank you, -corey -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists