[Lxc-users] running lxc-execute as user
Justin Cormack
justin at specialbusservice.com
Fri Apr 8 13:49:50 UTC 2011
On Thu, 2011-04-07 at 18:00 +0100, Justin Cormack wrote:
> I want to run a command in a container with lxc-execute, and its not
> something that does setuid, setgid itself, it expects to be run as a
> non-root user.
>
> Am I correct that the expected way to do this is to run lxc-setcap so I
> can run lxc-execute as the user, and then make sure the container config
> has
>
> lxc.cap.drop = dac_override fowner setpcap net_admin net_raw sys_chroot
> sys_admin
>
> so I drop all the capabilities again? It seems slightly more error prone
> than being able to set a uid and gid in the config directly, but maybe
> its just me adjusting to using capabilities...
Ok, replying to myself, it seems almost right.
It is not possible to drop the capabilities dac_override and sys_admin
or the lxc-execute will fail (unable to execute lxc-init and unable to
mount /proc).
However, as the executable that lxc-init is calling has no inheritable
capabilities these get dropped when it is execd anyway, so it does do
what I want for running fastcgi processes in a container.
Justin
More information about the lxc-users
mailing list