[lxc-users] Understanding permissions for unprivileged LXC containers.

Neil Greenwood neil.greenwood at gmail.com
Tue May 5 17:37:15 UTC 2015 

The kernel in the container will run as user 100000, and the user with ID 1000 inside will run under that kernel. So since the kernel has permission to access the root filesystem, the 1000/101000 user does not need separate permission. At least as I understand it.

Neil

On 4 May 2015 04:14:19 BST, Brian Allen Vanderburg II <brianvanderburg2 at aim.com> wrote:
>I'm attempting to understand why something works which seems like it
>shouldn't.
>
>I have an unprivileged container with a uid map of 0 100000 65536.  In
>order for the container to run, the root user of that container must be
>able to traverse to the rootfs.  In order to be more secure, I set my
>home directory as follows instead of granting +x to to everyone:
>
>    setfacl -m user:100000:x ~
>
>No other user has execute permission on the home directory except the
>host user.  After I start the container, I create a user account in
>that
>container and su to that account:
>
>    su - user
>    cd ~
>    touch test.txt
>
>This works and I'm glad because I don't want to have to "chmod a+x" on
>my home directory and also don't want to have to create a separate ACL
>outside the container on my home directory for each user in the
>container.  But why?  The ID of the user in the container is 1000,
>which
>would map to an outside ID of 101000.  Viewing the file system from
>outside of the container shows that the id is indeed 101000.  After
>creating a test user with id 101000 on the outside, that user can not
>access my home directory:
>
>    sudo adduser --uid 101000 --no-create-home --in-group users test
>    sudo su - test
>    cd /home/myuser (permission is denied as expected)
>
>So why can a user from within the container with an ID that maps to
>101000 outside the container access the home directory to the rootfs?
>
>Thanks
>
>Brian Allen Vanderburg II
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>lxc-users mailing list
>lxc-users at lists.linuxcontainers.org
>http://lists.linuxcontainers.org/listinfo/lxc-users

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150505/ac8bebe2/attachment.html>

More information about the lxc-users mailing list