On Thu, 20.11.14 14:48, Martin Pitt (martin.p...@ubuntu.com) wrote:
> > Sounds resonable. But first, can you elaborate on the reason for 0700
> > rather than 0755?
>
> Mostly so that users on the host can't call suid root binaries in the
> container. If containers are restricted with selinux/appa
Hey,
Lennart Poettering [2014-11-20 12:29 +0100]:
> > d /var/lib/containers 0700 - - -
> >
> > to tmpfiles.d/var.conf? I can also add this to the Debian tmpfiles.d
> > file, but it's not really Debian specific.
>
> Sounds resonable. But first, can you elaborate on the reason for 0700
> rathe
On Thu, 20.11.14 10:32, Martin Pitt (martin.p...@ubuntu.com) wrote:
> Hello all,
heya,
> we just got a bug report [1] about the systemd-nspawn@.service not
> working very well by default:
>
> First, /var/lib/containers/ does not exist by default. To guard
> against information leaks or hard lin
Hello all,
we just got a bug report [1] about the systemd-nspawn@.service not
working very well by default:
First, /var/lib/containers/ does not exist by default. To guard
against information leaks or hard link attacks by users, this
directory should be 0700 by default. LXC does the same (/var/li
