On 02/14/2013 10:23 PM, Eric W. Biederman wrote:
With recent changes this is tied to the initial user namespace. So the
simple solution to this and so many other similiar security problems is
to run your container in a user namespace.
The permission check currently is capable(CAP_SYS_ADMIN) which requires
the caller to have the CAP_SYS_ADMIN in the initial user namespace.
I'm not sure I follow. Are these changes in k.org, or in another
repository someplace?
In k.org. 3.7 would work. 3.8-rcX would work even better.
root in a user namespace does not have permission to call TIOCCONS.
Ok, that's good enough for me. I don't have a compelling reason to make
it work, beyond liking consistency.
Thank you,
-corey
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/