[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[atomic-devel] Oneway - a way to drop privileges inside containers and lock it like that


Typical fictional unicorn containers should have one process

On practice it's actually processes of one concern ex. Apache

One issue is that your entry point /start.sh should exec to replace the shell (so that application process would recieve signals)

Since start.sh is pid 1 it has the responsibility to handle zombies. For this we can use yelp's dumb-init (which is almost to be pushed to official repo and already in copr)


Typically our start.sh start confd in background using nohup

Then I exec my application but I would like to drop privileges, first I used exec sudo or exec su but it wont replace the proces.

I wrote a simple application that drop groups , supplementary groups and user

Not only that but also it can optionally set
PR_SET_NO_NEW_PRIVS with prctl
So that it will never get more privileges even with sudo/su.

What do you think?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]