[lxc-devel] [PATCH] Fix unprivileged containers started by root
Stephan Sachse
ste.sachse at gmail.com
Thu Feb 27 08:59:40 UTC 2014
On Wed, Feb 26, 2014 at 8:53 PM, Stéphane Graber <stgraber at ubuntu.com> wrote:
> To make things consistent as well as avoid potential range conflicts,
> I'm removing the code that was directly writing the uid/gid ranges and
> instead force all unprivileged containers through newuidmap/newgidmap.
> This means you need to grant uid/gid ranges to root just as you would
> for a normal user.
i'm starting containers only as root and dont see the point for
mapping all uid/gid to another uid/gid. i only map 0 to 100000 and
keep all other uid/gid as is. and i do this in every container the
same (0 -> 100000). is this a security problem? for me imho not. every
container has its own rootfs
/stephan
--
Software is like sex, it's better when it's free!
More information about the lxc-devel
mailing list