Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Oops

-- A developer whose app needs to run as root (for a well-documented reason, and with a tight systemd sandbox hiding most of the filesystem from it)



If it is running as root, can't it just manipulate its mount namespace at will? Mount devtmpfs, then mount user partitions.


I believe one can use "capabilities" and seccomp to lock down a superuser process.


Systemd can put it in its own namespaces, like a container




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: