From f4d5cc8e1f39d132b61e110674528cac727ae0e2 Mon Sep 17 00:00:00 2001 From: =?utf8?q?St=C3=A9phane=20Graber?= Date: Wed, 18 Dec 2013 23:06:25 +0100 Subject: [PATCH] sshd: Don't bind-mount /sbin/init read-write MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit lxc-sshd was mounting itself (the template script) as /sbin/init in the container using a writable bind-mount. This shouldn't be needed and could lead to quite a few problems should one of those containers overwrite /sbin/init for some reason. Instead simply move to a read-only bind-mount which should prevent any accidental dammage. Signed-off-by: Stéphane Graber --- templates/lxc-sshd.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in index b8df78f07..bbbea62f9 100644 --- a/templates/lxc-sshd.in +++ b/templates/lxc-sshd.in @@ -128,7 +128,7 @@ lxc.mount.entry = /bin bin none ro,bind 0 0 lxc.mount.entry = /usr usr none ro,bind 0 0 lxc.mount.entry = /sbin sbin none ro,bind 0 0 lxc.mount.entry = tmpfs var/run/sshd tmpfs mode=0644 0 0 -lxc.mount.entry = @LXCTEMPLATEDIR@/lxc-sshd sbin/init none bind 0 0 +lxc.mount.entry = @LXCTEMPLATEDIR@/lxc-sshd sbin/init none ro,bind 0 0 lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0 lxc.mount.entry = sysfs sys sysfs ro 0 0 lxc.mount.entry = /etc/init.d etc/init.d none ro,bind 0 0 -- 2.47.3