[Lxc-users] uid isolation
Serge E. Hallyn
serge.hallyn at canonical.com
Fri Jan 14 18:34:47 UTC 2011
Quoting Reiner Herrmann (reiner at reiner-h.de):
> I have hardlinked some files into an lxc container to share them with
> someone. The files belong to uid 1000 on the host, but inside the
> container there also exists a user with uid 1000.
> Because they have the same uid, the user from the container is able
> to modify the files of the host user.
>
> Is there a way to isolate the uids, so that host-uid would not have
> the same rights as container-uid, even if they have the same numerical
> value?
User namespaces will provide these. In fact, after the patchset
which I've last posted to linux-kernel, the next task is to
add uid mapping for file access. But it's a long way off.
So in the meantime, you can use smack or selinux to provide
isolation which will be completely independent of uids.
-serge
More information about the lxc-users
mailing list