On tis, 2015-03-31 at 17:08 +0300, James Bottomley wrote:
> On Tue, 2015-03-31 at 06:59 -0700, Andy Lutomirski wrote:
> >
> > I don't think that this is correct. That user can already create a
> > nested userns and map themselves as 0 inside it. Then they can mount
> > devpts.
>
> I don't mind if they create a container and control the isolated ttys in
> that sub container in the VPS; that's fine. I do mind if they get
> access to the ttys in the VPS.
>
> If you can convince me (and the rest of Linux) that the tty subsystem
> should be mountable by an unprivileged user generally, then what you
> propose is OK.
That is controlled by the general rights to mount stuff. I.e. unless you
have CAP_SYS_ADMIN in the VPS container you will not be able to mount
devpts there. You can only do it in a subcontainer where you got
permissions to mount via using user namespaces.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander Larsson Red Hat, Inc
alexl@xxxxxxxxxx alexander.larsson@xxxxxxxxx
He's an old-fashioned neurotic master criminal from the Mississippi
delta. She's a manipulative extravagent widow on her way to prison for a
murder she didn't commit. They fight crime!
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
