[lxc-devel] problem with user namespace as root
Stéphane Graber
stgraber at ubuntu.com
Wed Feb 12 16:15:10 UTC 2014
On Wed, Feb 12, 2014 at 05:05:31PM +0100, Stephan Sachse wrote:
> > > where is the fault?
> >
> > I suspect lxc.autodev is the problem, as far as I know (and the above
> > seems to prove it), it doesn't work with unprivileged containers as it
> > currently requires the ability to mknod.
>
> why? cap_mknod is not dropped and die cgroup.devices allows to create
> the null device.
Because only real-root can do mknod, root in a userns can't, otherwise
any user could start using mknod and then grant themselves access to any
device they wish.
>
> /stephan
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140212/ad96d759/attachment.pgp>
More information about the lxc-devel
mailing list