On Mon, Aug 18, 2014 at 05:40:19PM +0000, Steven Stewart-Gallus wrote: > > guessing the sandbox isn't really meant for security purposes since > > CAP_SYS_ADMIN can easily be used to recover just about every other > > capability. http://lwn.net/Articles/486306/ The currently supported scenario is that you can remove suid from mount(8) and replace it with cap_dac_override,cap_sys_admin+ep. Note that in this case mount(8) still requires 'user' in fstab of course. The disadvantage is that mount(8) is not able to update for example /etc/mtab (or /run/mount/utab), because cap_sys_admin is just subset of the original suid privileges. > capabilities in a CLONE_NEW_USER sandbox only apply to the sandbox and not > things outside of the sandbox such as devices. Well, user namespace is little bit different story and we already talked about it (in May). http://www.spinics.net/lists/util-linux-ng/msg09309.html The idea is that we can drop privileges rather than exit with "only root can..." error message. I'd like to try it during this release cycle. Karel -- Karel Zak <kzak@xxxxxxxxxx> http://karelzak.blogspot.com -- To unsubscribe from this list: send the line "unsubscribe util-linux" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
