[lxc-devel] security considerations when running lxc as non-root
Serge E. Hallyn
serge.hallyn at canonical.com
Fri Jul 2 16:07:56 UTC 2010
Quoting Ferenc Wagner (wferi at niif.hu):
> Daniel Lezcano <daniel.lezcano at free.fr> writes:
>
> > The lxc tools can be run as non-root with all the needed capabilities
> > set by lxc-setcap via the file capabilities. The command run by lxc
> > won't have these privileges of course.
>
> I've always regarded such setups as a root shell by design, as it lets
> any user mount a filesystem containing a setuid root shell, then create
> another on some outside filesystem.
> Or is there anything in place to prevent that?
We really really need to get the user namespaces more advanced,
so that the container ends up with capabilities targeted to his
namespaces, but no capabilities on the host.
Eric's userid-namespaces-over-unix-sock patch is finally in
net-next, and can be seen as a step in the right direction. (It
will prevent root in a container from being seen as privileged
by dbus/upstart)
-serge
More information about the lxc-devel
mailing list