[lxc-users] Unprivileged Container and bind-mounting /dev/...

Dirk Geschke dirk at lug-erding.de
Fri Jan 23 22:52:25 UTC 2015


Hi Serge,

thanks for the response!

> Unprivileged containers are started in a new user namespace.  Root
> in the container is mapped to another uid on the host, and is allowed
> privileged access to any resources which the unprivileged user owns.

That's one of the reasons, I like the idea of uprivileged containers.

> You can't mount most filesystems, but bind mounting is ok.  The source
> node retains its ownership (uid -1, so you can't modify it), and if
> you start any setuid-root programs they will be run as root in your
> container, your user on the host, so you can only damage yourself.

That's the point I'm missing. Can a normal user bind mount e.g.
/dev/random somewhere else? I think, only root can do this?

If I try as a normal user this command

   mount("/dev/random","/home/geschke/random","none",MS_BIND|MS_REC, 0)

I get a 

   mount: Operation not permitted

Where is my mistake?

Ah, as root in a container, it seems to work. But why? Is this a 
feature of the user namespace?

Sorry, it works fine, but I'm just curious...

Best regards

Dirk
-- 
+----------------------------------------------------------------------+
| Dr. Dirk Geschke       / Plankensteinweg 61    / 85435 Erding        |
| Telefon: 08122-559448  / Mobil: 0176-96906350 / Fax: 08122-9818106   |
| dirk at geschke-online.de / dirk at lug-erding.de  / kontakt at lug-erding.de |
+----------------------------------------------------------------------+


More information about the lxc-users mailing list