[arch-general] [arch-dev-public] linux 3.16 in [testing]
Damjan Georgievski
gdamjan at gmail.com
Wed Aug 13 13:40:27 EDT 2014
>> anyway. is there a reason this is not enabled now?
>> all the mainstream distros hae it enabled now Fedora, RHEL/CentOS 7,
>> Ubuntu and Debian (at least on the backported kernel)
>
> I'd think about it, if the feature wasn't entirely useless. Despite the
> lack of official documentation, I found a document that described how it
> worked. After reading that document I concluded that the feature is a
> huge potential security risk with no actual benefit.
What security risk exactly? There was one that I know of, and it was fixed.
> If you give me a valid use case for USER_NS, I might reconsider, but
> every use case I can imagine is crushed by the limitations of the
> implementation.
The use case is that you don't need root access to start a container.
I can run Firefox with a limited view to the filesystem for example,
as a normal user.
Or limited view to the network, for ex. just ipv4, just ipv6, just vpn.
--
damjan
More information about the arch-general
mailing list