[lxc-users] Fwd: Security consequences of lxc.id_map not mapping a specific uid and gid
Christian Brauner
christianvanbrauner at gmail.com
Thu Dec 11 08:10:52 UTC 2014
Hello,
I run unprivileged containers and I want them to have access to video and
sound devices. Hence, I the following in my ~/.config/lxc/default.conf as
suggested on Stéphane's blog:
# Container specific configuration
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535
# uid and gid 1000 isn’t translated so that the container can access the
# X socket and dri and snd and video0 devices
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
I was wondering compared to an unprivileged container where I simply
map:
lxc.id_map=u 0 100000 65536
lxc.id_map=g 0 100000 65536
1) Am I significantly more vulnerable when I preserve the uid/gid of my
unprivileged user on the host for my user in the container?
2) And is there a different solution which would allow me to grant
access to the sound and video devices in /dev/snd and /dev/dri to the
user in my unprivileged container while still preserving the standard
mapping:
lxc.id_map=u 0 100000 65536
lxc.id_map=g 0 100000 65536
3) During container bootup of e.g. Debian Wheezy/Stable is constantly
complaining in the following manner (log output below) and I would like to
now if this can be avoided:
INIT: version 2.88 booting
Using makefile-style concurrent boot in runlevel S.
Cleaning up temporary files... /tmp.
mount: permission denied
mount: permission denied
mount: permission denied
mount: permission denied
mount: permission denied
Mount point '/dev/console' does not exist. Skipping mount. ... (warning).
Mount point '/dev/full' does not exist. Skipping mount. ... (warning).
Mount point '/dev/null' does not exist. Skipping mount. ... (warning).
Mount point '/dev/random' does not exist. Skipping mount. ... (warning).
Mount point '/dev/tty' does not exist. Skipping mount. ... (warning).
Mount point '/dev/urandom' does not exist. Skipping mount. ... (warning).
Mount point '/dev/zero' does not exist. Skipping mount. ... (warning).
Mount point '/dev/video0' does not exist. Skipping mount. ... (warning).
Mount point '/dev/fb0' does not exist. Skipping mount. ... (warning).
Mount point '/dev/console' does not exist. Skipping mount. ... (warning).
Mount point '/dev/tty1' does not exist. Skipping mount. ... (warning).
Mount point '/dev/tty2' does not exist. Skipping mount. ... (warning).
Mount point '/dev/tty3' does not exist. Skipping mount. ... (warning).
Mount point '/dev/tty4' does not exist. Skipping mount. ... (warning).
udev requires hotplug support, not started ... failed!
failed!
Activating lvm and md swap...done.
Checking file systems...fsck from util-linux 2.20.1
done.
Mounting local filesystems...done.
/etc/init.d/mountall.sh: 59: kill: Illegal number: 4 1
Activating swapfile swap...done.
Cleaning up temporary files....
Setting kernel variables ...done.
Configuring network interfaces...done.
Cleaning up temporary files....
Setting up ALSA...Invalid card number.
Usage: amixer <options> [command]
Available options:
-h,--help this help
-c,--card N select the card
-D,--device N select the device, default 'default'
-d,--debug debug mode
-n,--nocheck do not perform range checking
-v,--version print version of this program
-q,--quiet be quiet
-i,--inactive show also inactive controls
-a,--abstract L select abstraction level (none or basic)
-s,--stdin Read and execute commands from stdin sequentially
Available commands:
scontrols show all mixer simple controls
scontents show contents of all mixer simple controls (default command)
sset sID P set contents for one mixer simple control
sget sID get contents for one mixer simple control
controls show all controls for given card
contents show contents of all controls for given card
cset cID P set control contents for one control
cget cID get control contents for one control
Best,
Christian
System Information:
Arch Linux with user namespace supported kernel.
lxc 1.0.7
this script:
cgroups are created with printf '\n\033[42mCreating cgroup
hierarchy\033[m\n\n' &&
for d in /sys/fs/cgroup/*; do
f=$(basename $d)
echo "looking at $f"
if [ "$f" = "cpuset" ]; then
echo 1 | sudo tee -a $d/cgroup.clone_children;
elif [ "$f" = "memory" ]; then
echo 1 | sudo tee -a $d/memory.use_hierarchy;
fi
sudo mkdir -p $d/$USER
sudo chown -R $USER $d/$USER
# add current process to cgroup
echo $$ > $d/$USER/tasks
done
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20141211/34db9c03/attachment.html>
More information about the lxc-users
mailing list