[lxc-users] Owner of an unprivileged container

Xavier Gendre gendre.reivax at gmail.com
Sat Apr 4 06:55:05 UTC 2015


Hi Serge,

Le 03/04/2015 23:46, Serge Hallyn a écrit :
> Quoting Xavier Gendre (gendre.reivax at gmail.com):
>> Hello,
>>
>> I run several containers on my server and, following the security
>> advices, they are unprivileged. Each container belongs to one user
>> and I am asking myself if this is a "good practice"...
>>
>> Thus my question is if there are some differences between:
>> - an unprivileged container owned by root with 'lxc.id_map' in its
>> config file to make it unprivileged,
>> - a similar unprivileged container but owned by a classical user.
>>
>>  From the practical point of view, I have to admit that a container
>> owned by root is easier to handle but, from the security point of
>> view, is it more safe to give the unprivileged container to an user
>> than to root? Or is the namespace sufficient to avoid escape from an
>> unprivileged container that belongs to root?
>
> The main difference would be that the container startup and the
> container monitor end up running as root if started by root.  This
> is a pretty small, but not zero, attack surface.

Thank you for these security informations. Indeed, this is not a zero 
attack surface but i have to admit that this is a sufficiently small one 
for my little server.

>> What are your "good practices" in the matter? All belong to root?
>> All belong to one devoted user? Or, as what I do, one user for one
>> container?
>
> Currently that's probably mainly decided by practicality.  If you
> want to use an encrypted lvm backing store (I do) then you need
> to have root start the container.  The biggest advantage in my
> opinion of using fully unprivileged containers (starting them as
> non-root user) is so that users other than you can create/start
> them without having root access.  Failing that, I still prefer to
> use fully unpriv containers myself when possible, to reduce the
> amount of time I spend as root.

I have discussed about that with some people in the irc chan 
#lxcontainers and i agree with you. Unprivileged root-owned containers 
are quite unavoidable for some particular usage. In the future, i will 
keep the simple containers as user-owned and put the complicated ones as 
root-owned. Anyway, i will deal with some trade-off between root and 
user ownership ;-)

Thx,
Xavier


More information about the lxc-users mailing list