On Thu, 2010-07-01 at 10:58 -0500, Serge E. Hallyn wrote: > 3. instead of keeping caps in pP and raising in pE when needed, > a more privilege-separated approach could be used, where you > have small privileged helpers which are called by the unprivileged > main program. In this case, lxc-start would clear out both pP > and pE, but keep caps in pI. Then, little helpers like > lxc-destroy-cgroup would have fP=fE=empty and fI=<some_set> where > some_set has just the caps it needs to do its job. Then if any > normal user calls lxc-destroy-cgroup, it'll run with no privs, > but when lxc-start calls it with pI=full, then lxc-destroy-cgroup > will run with pP = (intersection of lxc-start's pI and > lxc-destroy-cgroup's > fI). It can then move bits from pP to pE when needed (or just > have fE=fI to have pE auto-filled). >
I definitely like this approach. Is it possible to do something similar without relying on file capabilities ? To handle the case where liblxc binaries are located on NFS, for example. -- Gregory Kurz gk...@fr.ibm.com Software Engineer @ IBM/Meiosys http://www.ibm.com Tel +33 (0)534 638 479 Fax +33 (0)561 400 420 "Anarchy is about taking complete responsibility for yourself." Alan Moore. ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
