On Fri, Jan 23, 2015 at 4:04 AM, Lennart Poettering <lenn...@poettering.net> wrote:
> On Thu, 22.01.15 15:53, Christian Seiler (christ...@iwakd.de) wrote: > > > Nevertheless, I think it would be great if this could also be fixed, > > because you never know what other applications people might come up > > with. > > > > The solution would probably be to just add a code path to chown > > the directory instead of mounting a tmpfs on top of it. That doesn't > > separate users from root inside the container quite as much, but in > > containers without CAP_SYS_ADMIN, I think that's a trade-off that's > > worth making. > > > > What do you think? > > Yeah, I agree. If we cannot mount the tmpfs due to EPERM we should add > a fallback to use a simple directory instead. Would be happy to take a > patch for that. > IIRC, the reason for tmpfs on /run/user/* was lack of tmpfs quotas... if that's still a problem, maybe there could be one tmpfs at /run/user, still preventing users from touching root-only /run? -- Mantas Mikulėnas <graw...@gmail.com>
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel