Colin Walters wrote:
> On Sun, 2012-01-15 at 16:37 -0800, Andy Lutomirski wrote:
>
> > Because chroot is an easy way to break out of chroot jail, CAP_SYS_ADMIN
> > is still required if the caller is already chrooted.
>
> This part is pretty gross. It means it won't work for stuff like
> containers (systemd-nspawn etc.) and furthermore
> I have plans that involve running OS trees inside a chroot, and this
> would obviously not work for that.
Indeed, I do run many of my machines inside a chroot.
The real filesystem has:
/distro/that
/distro/newer
/distro/this
instead of partitions. I'm chroot'd and fully booted up in
/distro/this, although I can see files in the others and I might run a
few things from them as well.
This isn't "userland chroot", it's the top level of the process tree:
/distro/this/sbin/init. It would be a shame if it behaved differently
just because "it's a chroot".
-- Jamie
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
