-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tinker with root inside the namespace #6
Comments
What about the security issues of running root inside boxxy container(if possible one day)? If root inside boxxy container could be possible, then an unprivileged user could use this to escalate privileges, for example by substituting /etc with sudoders inside or something. I'm asking because I'm going to develop a simplified setuid analog that allows root inside the container. And I want to avoid the vulnerabilities that come with it. |
@queer |
Yes, this is a possible concern. I don't know yet what a good fix would be as, quite honestly, I haven't yet run into a need for sudo inside of the container.
This is a possible fix, yes. I'm unsure what a good compromise on it would be as ex. there may be a genuine use-case for mounting over specific files in /etc. |
It's a whole thing and a half, but with a lot of trickery, it might be doable: https://github.com/sevagh/namespace-experiments
The text was updated successfully, but these errors were encountered: