[lxc-users] Understanding permissions for unprivileged LXC containers.

Brian Allen Vanderburg II brianvanderburg2 at aim.com
Mon May 4 03:14:19 UTC 2015


I'm attempting to understand why something works which seems like it
shouldn't.

I have an unprivileged container with a uid map of 0 100000 65536.  In
order for the container to run, the root user of that container must be
able to traverse to the rootfs.  In order to be more secure, I set my
home directory as follows instead of granting +x to to everyone:

    setfacl -m user:100000:x ~

No other user has execute permission on the home directory except the
host user.  After I start the container, I create a user account in that
container and su to that account:

    su - user
    cd ~
    touch test.txt

This works and I'm glad because I don't want to have to "chmod a+x" on
my home directory and also don't want to have to create a separate ACL
outside the container on my home directory for each user in the
container.  But why?  The ID of the user in the container is 1000, which
would map to an outside ID of 101000.  Viewing the file system from
outside of the container shows that the id is indeed 101000.  After
creating a test user with id 101000 on the outside, that user can not
access my home directory:

    sudo adduser --uid 101000 --no-create-home --in-group users test
    sudo su - test
    cd /home/myuser (permission is denied as expected)

So why can a user from within the container with an ID that maps to
101000 outside the container access the home directory to the rootfs?

Thanks

Brian Allen Vanderburg II

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150503/22dbd02c/attachment.sig>


More information about the lxc-users mailing list