[lxc-users] Security consequences of lxc.id_map not mapping a specific uid and gid

Serge Hallyn serge.hallyn at ubuntu.com
Mon Jan 5 14:43:12 UTC 2015


Quoting Christian Brauner (christianvanbrauner at gmail.com):
> Hello,
> 
> I do the following in my ~/.config/lxc/default.conf:
> 
>     # Container specific configuration
>     lxc.id_map = u 1001 101001 64535
>     lxc.id_map = g 1001 101001 64535
>     # uid and gid 1000 isn’t translated so that the container can access the
>     # X socket and dri and snd and video0 devices
>     lxc.id_map = u 0 100000 1000
>     lxc.id_map = g 0 100000 1000
>     lxc.id_map = u 1000 1000 1
>     lxc.id_map = g 1000 1000 1
> 
> I was wondering compared to an unprivileged container where I simply
> map:
> 
>     lxc.id_map=u 0 100000 65536
>     lxc.id_map=g 0 100000 65536
> 
> 1) Am I significantly more vulnerable when I preserve the uid/gid of my
> unprivileged user on the host for my user in the container?

Yes.  It introduces a whole new class of vulnerability, where the container
root owns all of your own files.

At the same time it is still significantly (and even more significantly)
safer than having root in the container be the same as root on the host :)

> 2) And is there a different solution which would allow me to grant
> access to the sound and video devices in /dev/snd and /dev/dri to the
> user in my unprivileged container while still preserving the standard
> mapping:
> 
>     lxc.id_map=u 0 100000 65536
>     lxc.id_map=g 0 100000 65536

You can use pulse to forward the sound over the network.  For dri, I
don't know thta there is.


More information about the lxc-users mailing list