update TODO

2024-11-27 04:03:36 +08:00 · 2023-03-14 22:36:14 +01:00 · 2023-03-14 22:36:14 +01:00 · c1c4ecd356
commit c1c4ecd356
parent a3c3386eac
1 changed files with 5 additions and 0 deletions
--- a/5
+++ b/5
@ -129,6 +129,11 @@ Deprecations and removals:

 Features:

+* mount /tmp/ and /var/tmp with a uidmap applied that blocks out "nobody" user
+  among other things such as dynamic uid ranges for containers and so on. That
+  way noone can create files there with these uids and we enforce they are only
+  used transiently, never persistently.
+
 * set MS_NOSYMFOLLOW for ESP and XBOOTLDR mounts both in gpt-generator and in
  dissect.c