Dnia 2011-07-30, sob o godzinie 21:10 -0400, Matthew Franz pisze: > Had seen some previous discussions before, but are there any ways to > mitigate this design vulnerability? > > http://blog.bofh.it/debian/id_413 > > Are there any workarounds? > > Thanks, > > - mdf >
The blog post explicitly mounts /sys... Why would you want your container to even have the capability to mount anything? If possible, drop CAP_SYS_ADMIN. ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users