[lxc-users] Understanding permissions for unprivileged LXC containers.

[Serge Hallyn]

Quoting Brian Allen Vanderburg II (brianvanderburg2 at aim.com):
> I'm attempting to understand why something works which seems like it
> shouldn't.
> 
> I have an unprivileged container with a uid map of 0 100000 65536.  In
> order for the container to run, the root user of that container must be
> able to traverse to the rootfs.  In order to be more secure, I set my
> home directory as follows instead of granting +x to to everyone:
> 
>     setfacl -m user:100000:x ~
> 
> No other user has execute permission on the home directory except the
> host user.  After I start the container, I create a user account in that
> container and su to that account:
> 
>     su - user
>     cd ~
>     touch test.txt
> 
> This works and I'm glad because I don't want to have to "chmod a+x" on
> my home directory and also don't want to have to create a separate ACL
> outside the container on my home directory for each user in the
> container.  But why?  The ID of the user in the container is 1000, which
> would map to an outside ID of 101000.  Viewing the file system from
> outside of the container shows that the id is indeed 101000.  After
> creating a test user with id 101000 on the outside, that user can not
> access my home directory:
> 
>     sudo adduser --uid 101000 --no-create-home --in-group users test
>     sudo su - test
>     cd /home/myuser (permission is denied as expected)
> 
> So why can a user from within the container with an ID that maps to
> 101000 outside the container access the home directory to the rootfs?

It doesn't ever have to descend your home directory, because it's rootfs
starts below it, at $HOME/.local/share/lxc/$container/rootfs.