[lxc-users] Disable lxc-attach
Drake Wilson
drake at dasyatidae.net
Tue Jan 6 19:49:11 UTC 2015
Claudio Cesar Sanchez Tejeda wrote:
> The idea is to distribute an application and I don't want that the
> users that have root access to their servers could change anything on
> the configuration files or in the container.
You lose, and in most cases even _considering_ doing that is disrespectful
to people who want to control what's happening on their machine.
However:
- If you have the authority to lock down their access some other way,
you can do that (i.e., don't give them root to start with).
+ In particular if you're the one assigning the hardware, such as being
a VPS provider, you could put _them_ in a less-privileged zone and run
your stuff in a separately-managed zone which only you control.
- If the recipients can be made to agree to something contractually,
you may be able to use that, weakly detect tampering in software, and
apply contractual penalties if it's detected. (If you're doing this
to consumer-level software, you're in DRM-land, which, yes, makes
enforcement unreliable. No one has presented a way of making it reliable
without breaking the world.)
- If you merely want to make it inconvenient so that it's not done
casually, you may be able to set up other hedges to make things
awkward (which I won't personally help other people with on a
noncommercial basis).
Other than that, you don't have the authority; the person who legitimately
has full system access has the authority to manipulate everything running
on it. (I'm aware that there are scenarios where the social constructs in
force can't be rendered into Unix permissions very well, but that's not a
problem for which the solution is generally at this level.)
---> Drake Wilson
More information about the lxc-users
mailing list