[lxc-devel] [PATCH 0/3] lxc-attach: Additional improvements
Christian Seiler
christian at iwakd.de
Mon Mar 4 19:20:21 UTC 2013
Hi,
I've attached three additional patches for possible improvements to
lxc-attach.
The first two I think should be applied directly, they do the
following:
1) Create a sane fallback to /bin/sh if it is impossible to detect
the container's shell because of incompatible nss implementations
between host and container
2) Detect the user & group id of PID 1 and use that for lxc-attach
instead of root, when attaching to user namespaces.
The third patch I'm not really sure about the security implications of,
so I'm sending it as a draft, but somebody who knows more about the
specifics should look over it.
3) Add -u and -g options to lxc-attach to allow the user to specify
user and group ids to setuid()/setgid() to when attaching.
This feature could be really useful, on the other hand, I have
only ever used lxc running as root (never tried lxc-setcap), so I
have no idea if this could pose a potential security problem or
not. (When running as root, you have all the rights anyway, so
then it's fine.) I'd like some feedback on this before I feel
comfortable signing off on adding these options.
Now if somebody tells me that attach is only possible as root
anyway so far, then I don't have any qualms, but I'd rather be
safe than sorry.
-- Christian
More information about the lxc-devel
mailing list