[lxc-users] pre-mount hook namespace

Wolfgang Bumiller w.bumiller at proxmox.com
Wed Nov 11 16:01:34 UTC 2015


Thanks for the reply.

> On November 11, 2015 at 4:40 PM Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > This puts us in a bit of a pickle as we'd like to setup mountpoints
> > for an unprivileged container without giving it access to more than it
> > needs (in particular, the storage configuration and processes involved
> > in managing and activating them.)
> 
> Please give a specific example of what you want.

Mount a filesystem for the unprivileged user which the they cannot
mount by themselves due to a lack of permissions.
# mount -o loop /path/you/don't/have/access/to.img /the/container

> In order for an unprivileged user to be able to manipulate the mounts
> table, he must *first* unshare the user namespace.  That is so that
> if he mounts something over /etc/shadow, he can only trick setuid-root
> programs (like login) owned by his own user namespace.

Ah yes. I just read up on the mount namespace restrictions
section in user_namespaces(7).

Looks like it'll have to be mounting in the pre-start hook and
unmounting in the post-stop hook and letting the mounts stay
visible in the host's namespace.



More information about the lxc-users mailing list