[lxc-devel] [PATCH] lxc-attach: elevate specific privileges

Nikola Kotur kotnick at gmail.com
Wed Nov 20 14:56:20 UTC 2013


On Tue, 19 Nov 2013 15:48:36 -0600
Serge Hallyn <serge.hallyn at ubuntu.com> wrote:

> Quoting Nikola Kotur (kotnick at gmail.com):
> > There are scenarios in which we want to execute process with
> > specific privileges elevated.
>
> thanks for submitting this patch.  No objection overall, however
> there are a few existing places where elevated_privileges is set to 1
> which you are not updating.

Thanks for the review and for catching this. I will update the patch
and resend it (along with a signed-off-by).

> I also notice that currently it seems broken as the manpage says that
> -R should imply -e, but i don't see where that is enforced any more.

Actually, it's not -R that implies -e, it's the -s option (specifying
which namespaces to attach to).

And if you have a bit of time I'd appreciate if you could explain why
should we elevate privileges for attaching to specific namespace? Seems
to me that it is unrelated, since I should be able to enter NETWORK ns
while not elevating cgroup, for example?

Thanks.

-- 
Nikola Kotur
http://blog.kotur.org

PGP key: http://bin.kotur.org/key.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20131120/9a8ca4f2/attachment.pgp>


More information about the lxc-devel mailing list