[Lxc-users] uid isolation

Serge E. Hallyn serge.hallyn at canonical.com
Fri Jan 14 18:34:47 UTC 2011


Quoting Reiner Herrmann (reiner at reiner-h.de):
> I have hardlinked some files into an lxc container to share them with
> someone. The files belong to uid 1000 on the host, but inside the
> container there also exists a user with uid 1000.
> Because they have the same uid, the user from the container is able
> to modify the files of the host user.
> 
> Is there a way to isolate the uids, so that host-uid would not have
> the same rights as container-uid, even if they have the same numerical
> value?

User namespaces will provide these.  In fact, after the patchset
which I've last posted to linux-kernel, the next task is to
add uid mapping for file access.  But it's a long way off.

So in the meantime, you can use smack or selinux to provide
isolation which will be completely independent of uids.

-serge




More information about the lxc-users mailing list