[lxc-devel] [PATCH 1/1] fix root-owned unpriv containers
Serge Hallyn
serge.hallyn at ubuntu.com
Sun Sep 14 04:49:11 UTC 2014
Quoting Stéphane Graber (stgraber at ubuntu.com):
> On Sun, Sep 14, 2014 at 04:38:30AM +0000, Serge Hallyn wrote:
> > lxc_map_ids was always using newuidmap if it existed. We don't want
> > to use it if we start as root.
>
> This was actually done on purpose to force everyone with a recent
> version of shadow to set proper ranges for root in /etc/subuid and
> /etc/subgid to avoid potential clashes at a later point when adding new
> users.
Hm. Seems to me root is not just another user who conflicts, he's a
special user.
In any case if we're going to stick with that then it needs to be
better documented :)
On a related note, I'm thinking that the chmod'ing of container dirs
in unpriv users' .local/share/lxc was the wrong approach. Perhaps we should
instead chmod .local/share/lxc itself to be 700. Have the user create
and chdir to .local/share/lxc/containerdir under his own euid, make
that 755, and work under there.
More information about the lxc-devel
mailing list