On Fri, Sep 27, 2013 at 07:33:28PM +0000, "Jóhann B. Guðmundsson" wrote:
I dont have any security degrees nor do I consider myself an evil
man and probably Steve and Dan would be better suited to answer this
question since I'm far from being any expert on the subject but
hypothetically would not someone being able to do something like
this in this educational sample I'm providing
So, to cut out the code, what you're saying is that someone could use this
to create a binary which executes as effective root. This is true, but a)
one is actually running as root inside the container anyway and b) one can
just use full setuid. Additionally, this wouldn't let someone _not_ root in
the container set filesystem capabilities.
--
Matthew Miller mattdm(a)mattdm.org <
http://mattdm.org/>