From: Claudius Heine <claudius.heine.ext@siemens.com>
To: Ben Brenson <benbrenson89@googlemail.com>,
isar-users <isar-users@googlegroups.com>
Subject: Re: Isar fork
Date: Wed, 18 Oct 2017 16:22:02 +0200 [thread overview]
Message-ID: <59df5846-f9e2-8af5-39b1-92b5b6770122@siemens.com> (raw)
In-Reply-To: <74238db2-27cf-4cb3-b549-60da092134d3@googlegroups.com>
Hi,
On 10/18/2017 04:02 PM, 'Ben Brenson' via isar-users wrote:
> Root privileges inside a Docker container are sadly not a good enough
>> security mechanism, because you would have to grant the container the
>> sys_admin capabilities for loop mount and now its able to potentially
>> overwrite disk content or access the complete host memory.
>>
>
> So the best solution would be to implement a non-root approach. Otherwise
> there will always persist some security issues.
> For now I don't have any solutions, yet.
> A time ago I tried to setup debootstrap by using fakechroot, but that
> wasn't staight forward to solve.
> Maybe with multistrap, things would be much easier here?
AFAIK that not the case. One problem of fakeroot/fakechroot is that is
works with LD_PRELOAD and therefor fails with static binaries. proot is
better there because is uses the same mechanism as strace (ptrace) to
capture syscalls. proot also allows to pseudo bind mount directories
into the chroot-path, which is useful. The problem with proot is however
that chown/chmod/mknot calls are not stored persistently.
So when I read 'schroot' in your commit history I got exited and hoped
that is the solution we all waited for. Doesn't seem to be the case though.
Cheers,
Claudius
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de
prev parent reply other threads:[~2017-10-18 14:22 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-18 9:23 Ben Brenson
2017-10-18 11:16 ` Jan Kiszka
2017-10-18 11:56 ` Ben Brenson
2017-10-18 12:09 ` Jan Kiszka
2017-10-18 11:56 ` Claudius Heine
2017-10-18 12:11 ` Ben Brenson
2017-10-18 12:52 ` Claudius Heine
2017-10-18 14:02 ` Ben Brenson
2017-10-18 14:19 ` Henning Schild
2017-10-18 14:22 ` Claudius Heine [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=59df5846-f9e2-8af5-39b1-92b5b6770122@siemens.com \
--to=claudius.heine.ext@siemens.com \
--cc=benbrenson89@googlemail.com \
--cc=isar-users@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox