[arch-general] [arch-dev-public] linux 3.16 in [testing]

Thomas Bächler thomas at archlinux.org
Wed Aug 13 17:24:40 EDT 2014


Am 13.08.2014 um 19:40 schrieb Damjan Georgievski:
>>> anyway. is there a reason this is not enabled now?
>>> all the mainstream distros hae it enabled now Fedora, RHEL/CentOS 7,
>>> Ubuntu and Debian (at least on the backported kernel)
>>
>> I'd think about it, if the feature wasn't entirely useless. Despite the
>> lack of official documentation, I found a document that described how it
>> worked. After reading that document I concluded that the feature is a
>> huge potential security risk with no actual benefit.
> 
> What security risk exactly? There was one that I know of, and it was fixed.

I am thinking about the risks that are yet unknown.

>> If you give me a valid use case for USER_NS, I might reconsider, but
>> every use case I can imagine is crushed by the limitations of the
>> implementation.
> 
> The use case is that you don't need root access to start a container.

That's interesting - I was unable to get anything like this done. Maybe
the LXC people are smarter than me after all.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140813/8003fd87/attachment-0001.asc>


More information about the arch-general mailing list