[lxc-devel] security considerations when running lxc as non-root

[Ferenc Wagner]

Daniel Lezcano <daniel.lezcano at free.fr> writes:

> The lxc tools can be run as non-root with all the needed capabilities
> set by lxc-setcap via the file capabilities. The command run by lxc
> won't have these privileges of course.

I've always regarded such setups as a root shell by design, as it lets
any user mount a filesystem containing a setuid root shell, then create
another on some outside filesystem.
Or is there anything in place to prevent that?
-- 
Thanks,
Feri.