[lxc-users] Owner of an unprivileged container

Bostjan Skufca bostjan at a2o.si
Sat Apr 4 01:14:09 UTC 2015 

Hi Serge,

is there any standard implementation for starting user-unprivileged
containers at boot? I am not talking about containers which are uidmapped
(and started) by root to be unprivileged. I mean containers which are
created by unprivileged users in their home dirs.

Tnx for info,
b.


On 3 April 2015 at 23:46, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:

> Quoting Xavier Gendre (gendre.reivax at gmail.com):
> > Hello,
> >
> > I run several containers on my server and, following the security
> > advices, they are unprivileged. Each container belongs to one user
> > and I am asking myself if this is a "good practice"...
> >
> > Thus my question is if there are some differences between:
> > - an unprivileged container owned by root with 'lxc.id_map' in its
> > config file to make it unprivileged,
> > - a similar unprivileged container but owned by a classical user.
> >
> > From the practical point of view, I have to admit that a container
> > owned by root is easier to handle but, from the security point of
> > view, is it more safe to give the unprivileged container to an user
> > than to root? Or is the namespace sufficient to avoid escape from an
> > unprivileged container that belongs to root?
>
> The main difference would be that the container startup and the
> container monitor end up running as root if started by root.  This
> is a pretty small, but not zero, attack surface.
>
> > What are your "good practices" in the matter? All belong to root?
> > All belong to one devoted user? Or, as what I do, one user for one
> > container?
>
> Currently that's probably mainly decided by practicality.  If you
> want to use an encrypted lvm backing store (I do) then you need
> to have root start the container.  The biggest advantage in my
> opinion of using fully unprivileged containers (starting them as
> non-root user) is so that users other than you can create/start
> them without having root access.  Failing that, I still prefer to
> use fully unpriv containers myself when possible, to reduce the
> amount of time I spend as root.
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150404/238a43e7/attachment.html>

More information about the lxc-users mailing list