[lxc-users] Unprivileged Container and bind-mounting /dev/...
Dirk Geschke
dirk at lug-erding.de
Fri Jan 23 22:52:25 UTC 2015
Hi Serge,
thanks for the response!
> Unprivileged containers are started in a new user namespace. Root
> in the container is mapped to another uid on the host, and is allowed
> privileged access to any resources which the unprivileged user owns.
That's one of the reasons, I like the idea of uprivileged containers.
> You can't mount most filesystems, but bind mounting is ok. The source
> node retains its ownership (uid -1, so you can't modify it), and if
> you start any setuid-root programs they will be run as root in your
> container, your user on the host, so you can only damage yourself.
That's the point I'm missing. Can a normal user bind mount e.g.
/dev/random somewhere else? I think, only root can do this?
If I try as a normal user this command
mount("/dev/random","/home/geschke/random","none",MS_BIND|MS_REC, 0)
I get a
mount: Operation not permitted
Where is my mistake?
Ah, as root in a container, it seems to work. But why? Is this a
feature of the user namespace?
Sorry, it works fine, but I'm just curious...
Best regards
Dirk
--
+----------------------------------------------------------------------+
| Dr. Dirk Geschke / Plankensteinweg 61 / 85435 Erding |
| Telefon: 08122-559448 / Mobil: 0176-96906350 / Fax: 08122-9818106 |
| dirk at geschke-online.de / dirk at lug-erding.de / kontakt at lug-erding.de |
+----------------------------------------------------------------------+
More information about the lxc-users
mailing list