[patch 8/9] unprivileged mounts: propagation: inherit owner
miklos at szeredi.hu
Tue Jan 15 02:39:08 PST 2008
> Quoting Miklos Szeredi (miklos at szeredi.hu):
> > From: Miklos Szeredi <mszeredi at suse.cz>
> > On mount propagation, let the owner of the clone be inherited from the
> > parent into which it has been propagated. Also if the parent has the
> > "nosuid" flag, set this flag for the child as well.
> What about nodev?
Hmm, I think the nosuid thing is meant to prevent suid mounts being
introduced into a "suidless" namespace. This doesn't apply to dev
mounts, which are quite safe in a suidless environment, as long as the
user is not able to create devices. But that should be taken care of
by capability tests.
I'll update the description.
More information about the Containers