[lxc-users] Understanding permissions for unprivileged LXC containers.
Serge Hallyn
serge.hallyn at ubuntu.com
Mon May 4 14:07:10 UTC 2015
Quoting Brian Allen Vanderburg II (brianvanderburg2 at aim.com):
> I'm attempting to understand why something works which seems like it
> shouldn't.
>
> I have an unprivileged container with a uid map of 0 100000 65536. In
> order for the container to run, the root user of that container must be
> able to traverse to the rootfs. In order to be more secure, I set my
> home directory as follows instead of granting +x to to everyone:
>
> setfacl -m user:100000:x ~
>
> No other user has execute permission on the home directory except the
> host user. After I start the container, I create a user account in that
> container and su to that account:
>
> su - user
> cd ~
> touch test.txt
>
> This works and I'm glad because I don't want to have to "chmod a+x" on
> my home directory and also don't want to have to create a separate ACL
> outside the container on my home directory for each user in the
> container. But why? The ID of the user in the container is 1000, which
> would map to an outside ID of 101000. Viewing the file system from
> outside of the container shows that the id is indeed 101000. After
> creating a test user with id 101000 on the outside, that user can not
> access my home directory:
>
> sudo adduser --uid 101000 --no-create-home --in-group users test
> sudo su - test
> cd /home/myuser (permission is denied as expected)
>
> So why can a user from within the container with an ID that maps to
> 101000 outside the container access the home directory to the rootfs?
It doesn't ever have to descend your home directory, because it's rootfs
starts below it, at $HOME/.local/share/lxc/$container/rootfs.
More information about the lxc-users
mailing list