[lxc-users] Security question: root w/ subuids vs. unprivileged.

Raimund Berger raimund.berger at gmail.com
Fri Nov 28 10:28:52 UTC 2014


"Fajar A. Nugraha" <list-gqapnpqMBQ1eoWH0uzbU5w at public.gmane.org>
writes:

> On Fri, Nov 28, 2014 at 12:08 AM, Raimund Berger <raimund.berger-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
> wrote:
>
>> I'm asking since, as root, I'm guessing it might be easier to map select
>> devices - like OSS audio - into a container, even when mapping uids too,
>> which seems to be pretty much impossible to do with unprivileged
>> containers (for good reason, obviously).
>
>
>
> I thought there are groups for mostly every device a normal user would need
> to access, e.g. audio group? My guess is that if the uid of the user
> starting the container (as well as mapped root and whatever user inside the
> container that needs to access the device) belongs to the host's group, it
> should work even for unprivileged containers.

Entirely true. But then you need at least one dedicated user for each
device group you want to map. And if you want to map two groups, like
when trying to contain an application that uses both audio and video,
into a single container you're already at a dead end.

I know there's workarounds like using Pulseaudio instead of direct
device access. But there you might run into a whole other world of
issues. And, in view of the ongoing bufferbloat discussion, why
introduce still more buffers and latency without actual need?

Also, I'd think my question might really be of general interest. Even
when not directly relating to situations where people try to map
multiple device groups, no?


More information about the lxc-users mailing list