<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Mon, Feb 15, 2016 at 11:56 AM, John Siu <span dir="ltr"><<a href="mailto:john.sd.siu@gmail.com" target="_blank">john.sd.siu@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Is there any advantage to use separate subuid and subguid for each container?<br>
<br>
For example, when multiple unprivileged containers with the same subuid 100000, ps will show something like the following:<br>
<br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">One cannot tell which process is owned by which container.<br>
<br></blockquote><div><br></div><div>ps -ea -O cgroup:50<br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Additionally, using the same subuid, is there any concern about one container gaining access to the other containers? Or is this not a problem at all?<br>
<br></blockquote><div><br></div><div>in theory, yes, AFAIK that is a possibility. If somehow a process manage to break out of the container, it might be able to do stuff in the host as an unpriviliged user.</div><div><br></div><div>I haven't seen any attacks like that on recent systems though. In particular, with apparmor and lxcfs enabled, you should get an additional layer of security. So personally I find it's still acceptable for multiple unpriv containers to share the same subuid.</div><div><br></div><div>-- </div><div>Fajar</div></div></div></div>