On Tue, Oct 01, 2013 at 02:41:53PM +0000, "Jóhann B. Guðmundsson" wrote: > Actually the code I posted creates backdoor to give an user who runs > it the ability to gain root privileges via setcap ( setcap > cap_setuid=ep .b ). Right, but the key is that you _already have_ root privileges in the container. However, certain capabilities have been dropped from the _permitted_ set; once dropped, you can't get them back even by execing a binary with filesystem capabilities set. Therefore, it seems fairly harmless to allow them to be set (eg don't drop that particular capability) -- unless I'm missing something. -- Matthew Miller mattdm@xxxxxxxxxx <http://mattdm.org/> -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
