[Devel] Re: [PATCH 0/9] Multiple devpts instances
Eric W. Biederman
ebiederm at xmission.com
Thu Feb 19 15:59:11 PST 2009
Daniel Lezcano <daniel.lezcano at free.fr> writes:
> But if I am able to create a new instance of devpts for a container and modify
> the configuration of another devpts from this container, is it acceptable ? Can
> we convince people to use the containers for security and have anybody able to
> make a pty starvation from one container to another ?
I hardly how that is significant. Anyone can allocate the rest of the possible
pty's today. The situation does not get worse with devpts.
If you want security and permission arguments get with Serge and finish
the uid namespace. The you will have a user that looks like root but
does not have permissions to do most things.
> If it is too much complicated to handle one value per new devpts instance, IMHO
> /proc/sys/kernel/pty/max should be, at least, read-only for the new instance, no?
No. Either we add a pty_max value to the filesystem like we did with ptmx
or we forget it.
Eric
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list