On 02/14/2013 10:23 PM, Eric W. Biederman wrote:
With recent changes this is tied to the initial user namespace. So the
simple solution to this and so many other similiar security problems is
to run your container in a user namespace.
The permission check currently is capable(CAP_SYS_ADMIN) which requires
the caller to have the CAP_SYS_ADMIN in the initial user namespace.
I'm not sure I follow. Are these changes in k.org, or in another
repository someplace?
In k.org. 3.7 would work. 3.8-rcX would work even better.
root in a user namespace does not have permission to call TIOCCONS.
Ok, that's good enough for me. I don't have a compelling reason to make
it work, beyond liking consistency.
Thank you,
-corey
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers
