On Thu, 2011-04-07 at 18:00 +0100, Justin Cormack wrote: > I want to run a command in a container with lxc-execute, and its not > something that does setuid, setgid itself, it expects to be run as a > non-root user. > > Am I correct that the expected way to do this is to run lxc-setcap so I > can run lxc-execute as the user, and then make sure the container config > has > > lxc.cap.drop = dac_override fowner setpcap net_admin net_raw sys_chroot > sys_admin > > so I drop all the capabilities again? It seems slightly more error prone > than being able to set a uid and gid in the config directly, but maybe > its just me adjusting to using capabilities...
Ok, replying to myself, it seems almost right. It is not possible to drop the capabilities dac_override and sys_admin or the lxc-execute will fail (unable to execute lxc-init and unable to mount /proc). However, as the executable that lxc-init is calling has no inheritable capabilities these get dropped when it is execd anyway, so it does do what I want for running fastcgi processes in a container. Justin ------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev _______________________________________________ Lxc-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lxc-users
