Remove writable group file due to issues with being able to give su access when shouldn't be allowed.#653
Conversation
…ccess when shouldn't be allowed.
|
Actually, thinking about it some more, not sure removing this makes any difference. For someone to be able to add an entry to the The only thing one can do is document that if running with a |
|
Withdrawing this as indeed makes no difference and how is currently done can't be improved. Can only document that should drop capabilities as necessary. |
|
May yet reopen this. Although there is no even if when run with uid not in |
|
Note that this PR was superseded by #654 which contains the addition of |
This change is to revert making the
/etc/groupfile writable as part solution to avoid issues as discussed in #560.Although it means in environment where container run as group ID not in
/etc/groupsyou will get a warning:in certain situations when creating an interactive shell in the container, there is no known Python packages or applications which will fail if running with a group ID not in
/etc/group.With the
/etc/groupfile once again not writable, as part of #560 can then work out whether restrictingsuto members ofwheelgroup can be done and lock downsufor normal case.