On Dec 20, 2017, at 10:24 PM, Andy Bradford <amb-fos...@bradfords.org> wrote:
>
> Thus said Warren Young on Wed, 20 Dec 2017 21:02:01 -0700:
>
>> Linux containers aren't foolproof when it comes to permission
>> isolation. Better to not let Fossil have root privs even inside a
>> container.
>
> Fossil does chroot first and then drop root privileges which then
> changes to the user that owns the directory of fossils (or the fossil
> repository if serving only one).
If you’re running a privileged container, all you then need is a local root
escalation, one of which pops up roughly every year.
If you’re using an *unprivileged* container, you may be fine, though I don’t
know if those will allow the host-side port 80 to be bound to the container.
https://linuxcontainers.org/pt_br/lxc/security/
Another thought: perhaps SELinux or AppArmor is interfering here? Try turning
the one your host OS runs off temporarily. If it’s SELinux, set it to
permissive mode and then use audit2allow to build a policy that will fix the
problem:
https://wiki.centos.org/HowTos/SELinux
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
