enhance security via private TMP/TMPDIR by default
Nicholas Miell
nmiell at comcast.net
Wed May 18 22:55:48 UTC 2005
On Wed, 2005-05-18 at 18:48 -0400, Bill Nottingham wrote:
> Colin Walters (walters at redhat.com) said:
> > On Wed, 2005-05-18 at 20:15 +0200, Enrico Scholz wrote:
> >
> > > This CLONE_NEWNS and (related) 'mount --bind' operations are not very
> > > well supported by the kernel:
> > >
> > > * there does not exist a way to enter an already existing namespace; so,
> > > e.g. two different ssh sessions would have different /tmp directories
> >
> > Right, but that shouldn't be a problem since you can share data via your
> > home directory or a specially-designated scratch area, etc.
>
> Well, there's agent sockets and the like in your tmp dir.
Yes, but if all namespaces bind mount the same tmp dir, it doesn't
matter that processes are running in different namespaces.
--
Nicholas Miell <nmiell at comcast.net>
More information about the fedora-devel-list
mailing list