chiark / gitweb /
~ianmdlvl / elogind.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1fc5560)
tmpfiles.d: Create /var/lib/containers
authorMartin Pitt <martin.pitt@ubuntu.com>
Thu, 20 Nov 2014 13:37:08 +0000 (14:37 +0100)
committerLennart Poettering <lennart@poettering.net>
Thu, 20 Nov 2014 23:34:26 +0000 (00:34 +0100)
Create /var/lib/containers so that it exists with an appropriate mode. We want
0700 by default so that users on the host aren't able to call suid root
binaries in the container. This becomes a security issue if a user can enter a
container as root, create a suid root binary, and call that from the host.
(This assumes that containers are caged by mandatory access control or are
started as user).

tmpfiles.d/var.conf patch | blob | history

diff --git a/tmpfiles.d/var.conf b/tmpfiles.d/var.conf
index 4b63e4197ba3bc115f5640d2d20ef99cb3893ccc..b4bf3bc58b8584c2e9293855b3a7b07024203c22 100644 (file)
--- a/tmpfiles.d/var.conf
+++ b/tmpfiles.d/var.conf
@@ -18,4 +18,6 @@ f /var/log/btmp 0600 root utmp -
 d /var/cache 0755 - - -
 
 d /var/lib 0755 - - -
 d /var/cache 0755 - - -
 
 d /var/lib 0755 - - -
+d /var/lib/containers 0700 - - -
+
 d /var/spool 0755 - - -
 d /var/spool 0755 - - -
Unnamed repository; edit this file 'description' to name the repository.