[lxc-devel] security considerations when running lxc as non-root

Serge E. Hallyn serge.hallyn at canonical.com
Thu Jul 1 15:58:15 UTC 2010


Haven't looked closely enough yet, but a few comments:

1. mount/umount make up a lot of the privileged calls, and
at some point these will hopefully be supported unprivileged
(at least for bind mounts).

2. one nice bonus of this is that we can easily spot where
priv is expected to be used

3. instead of keeping caps in pP and raising in pE when needed,
a more privilege-separated approach could be used, where you
have small privileged helpers which are called by the unprivileged
main program.  In this case, lxc-start would clear out both pP
and pE, but keep caps in pI.  Then, little helpers like
lxc-destroy-cgroup would have fP=fE=empty and fI=<some_set> where
some_set has just the caps it needs to do its job.  Then if any
normal user calls lxc-destroy-cgroup, it'll run with no privs,
but when lxc-start calls it with pI=full, then lxc-destroy-cgroup
will run with pP = (intersection of lxc-start's pI and lxc-destroy-cgroup's
fI).  It can then move bits from pP to pE when needed (or just
have fE=fI to have pE auto-filled).

-serge




More information about the lxc-devel mailing list