[lxc-users] Security consequences of lxc.id_map not mapping a specific uid and gid

Christian Brauner christianvanbrauner at gmail.com
Mon Dec 8 13:26:59 UTC 2014


Hello,

I do the following in my ~/.config/lxc/default.conf:

    # Container specific configuration
    lxc.id_map = u 1001 101001 64535
    lxc.id_map = g 1001 101001 64535
    # uid and gid 1000 isn’t translated so that the container can access the
    # X socket and dri and snd and video0 devices
    lxc.id_map = u 0 100000 1000
    lxc.id_map = g 0 100000 1000
    lxc.id_map = u 1000 1000 1
    lxc.id_map = g 1000 1000 1

I was wondering compared to an unprivileged container where I simply
map:

    lxc.id_map=u 0 100000 65536
    lxc.id_map=g 0 100000 65536

1) Am I significantly more vulnerable when I preserve the uid/gid of my
unprivileged user on the host for my user in the container?

2) And is there a different solution which would allow me to grant
access to the sound and video devices in /dev/snd and /dev/dri to the
user in my unprivileged container while still preserving the standard
mapping:

    lxc.id_map=u 0 100000 65536
    lxc.id_map=g 0 100000 65536

Best,
Christian


More information about the lxc-users mailing list