You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "James Peach (JIRA)" <ji...@apache.org> on 2019/05/07 03:47:00 UTC

[jira] [Created] (MESOS-9768) Allow operators to mount the container rootfs with the `nosuid` flag

James Peach created MESOS-9768:
----------------------------------

             Summary: Allow operators to mount the container rootfs with the `nosuid` flag
                 Key: MESOS-9768
                 URL: https://issues.apache.org/jira/browse/MESOS-9768
             Project: Mesos
          Issue Type: Improvement
          Components: containerization
            Reporter: James Peach


If cluster users are allowed to launch containers with arbitrary images, those images may container setuid programs. For security reasons (auditing, privilege escalation), operators may wish to ensure that setuid programs cannot be used within a container.

 

We should provide a way for operators to be able to specify that container volumes (including `/`0 should be mounted with the `nosuid` flag.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)