diff options
author | Yuriy M. Kaminskiy <yumkam@gmail.com> | 2016-02-22 02:15:45 +0300 |
---|---|---|
committer | Yuriy M. Kaminskiy <yumkam@gmail.com> | 2016-02-23 18:13:23 +0300 |
commit | 4db1a65a0775ce3cc65febc41ac84f5cfc81a51c (patch) | |
tree | 5083d243e9f6959e64ea4c0a377ceb6bf385ae70 /test/fs_home_sanitize.exp | |
parent | x11 work (diff) | |
download | firejail-4db1a65a0775ce3cc65febc41ac84f5cfc81a51c.tar.gz firejail-4db1a65a0775ce3cc65febc41ac84f5cfc81a51c.tar.zst firejail-4db1a65a0775ce3cc65febc41ac84f5cfc81a51c.zip |
Add compile-time option to restrict --net= to root only
./configure --enable-network=restricted allows only --net=none to
non-root users.
Other variants delegate too much power to non-root users and dangerous (it
completely bypasses system-wide firewall and routing, it allows introducing
arbitrary-chosen MAC and IP interfaces on LAN [disregarding DHCP
policy], etc).
Root already had power to twiddle with anything, so no sense to restrain
her, and --net=none looks safe enough (and still useful) for ordinary
users.
Diffstat (limited to 'test/fs_home_sanitize.exp')
0 files changed, 0 insertions, 0 deletions