Docker-1.11 will add support for setting prctl(NO_NEW_PRIVS) via the
docker command line
https://github.com/docker/docker/pull/20727
docker run -it --rm --security-opt=no-new-privileges
fedora bash
Basically if you run this command on a non privleged user
account, it will disable any use
of setuid applications. No process can gain privileges with this
flag set.
For PAAS servers like OpenShift this is a big step forward in
security.
|