Am 13.08.2014 um 19:40 schrieb Damjan Georgievski: >>> anyway. is there a reason this is not enabled now? >>> all the mainstream distros hae it enabled now Fedora, RHEL/CentOS 7, >>> Ubuntu and Debian (at least on the backported kernel) >> >> I'd think about it, if the feature wasn't entirely useless. Despite the >> lack of official documentation, I found a document that described how it >> worked. After reading that document I concluded that the feature is a >> huge potential security risk with no actual benefit. > > What security risk exactly? There was one that I know of, and it was fixed. I am thinking about the risks that are yet unknown. >> If you give me a valid use case for USER_NS, I might reconsider, but >> every use case I can imagine is crushed by the limitations of the >> implementation. > > The use case is that you don't need root access to start a container. That's interesting - I was unable to get anything like this done. Maybe the LXC people are smarter than me after all.
Attachment:
signature.asc
Description: OpenPGP digital signature
