[lxc-users] Security consequences of lxc.id_map not mapping a specific uid and gid
Christian Brauner
christianvanbrauner at gmail.com
Mon Dec 8 13:26:59 UTC 2014
Hello,
I do the following in my ~/.config/lxc/default.conf:
# Container specific configuration
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535
# uid and gid 1000 isn’t translated so that the container can access the
# X socket and dri and snd and video0 devices
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
I was wondering compared to an unprivileged container where I simply
map:
lxc.id_map=u 0 100000 65536
lxc.id_map=g 0 100000 65536
1) Am I significantly more vulnerable when I preserve the uid/gid of my
unprivileged user on the host for my user in the container?
2) And is there a different solution which would allow me to grant
access to the sound and video devices in /dev/snd and /dev/dri to the
user in my unprivileged container while still preserving the standard
mapping:
lxc.id_map=u 0 100000 65536
lxc.id_map=g 0 100000 65536
Best,
Christian
More information about the lxc-users
mailing list