[lxc-users] Is an unprivileged LXC where the host user itself is mapped to 0 less secure of one where one of its subids is mapped to 0, and why?

Fabio Tudone (fabio@paralleluniverse.co) fabio at paralleluniverse.co
Wed Sep 30 17:08:09 UTC 2015


I really meant unprivileged containers created for example by the 
download template.

Usually subuids have an empty set of capabilities on the host, which 
means that even if they were accessing host resources they wouldn't be 
able to do much, so they are effectively "jailed". On the other hand if 
a regular host's user is mapped into the container it would 
theoretically be able to access host resources with the same 
capabilities granted to the host's user, isn't it?

On a more practical level what could be the security implications? Are 
there host resources that a malicious program could compromise when 
running in a container with the capabilities of a regular host user 
mapped in there? Even because of (hypothetical) system issues / bugs / 
vulnerabilities. Can someone think of actual examples?

Thanks.

-- Fabio

On 09/30/2015 07:10 PM, Serge Hallyn wrote:
> Quoting Fabio Tudone (fabio at paralleluniverse.co) (fabio at paralleluniverse.co):
>> Hi,
>>
>> instead of creating "regular" LXC unprivileged containers where all
>> the users are mapped to (unprivileged) subuid/gid of my host user,
>> I'm considering a mapping where my host user itself will be mapped
>> to user 0 (root). They'd be very slim single-app containers.
>>
>> The reason is that in this way I don't need the rootfs directory
>> subtree, which resides in my user's home, to be namespace-|chmod|to
>> a different user and I can delete it with a plain|rm|instead of a
>> namespace one.
>>
>> Is this kind of LXC less secure than the "regular" one, and why is
>> it? What could happen in the worst case?
> Don't know what you mean by the regular lxc.  Root in your container
> will have full rights to your user-owned files on the host, but that's
> it.  That is no different than if you map your host uid into the
> container to any other id (since root in the container will have privilege
> over your host-uid-owned files in that case).
>
> So in general I recommend against mapping your host user into the container,
> but it has its uses (and i do it in one container).
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users



More information about the lxc-users mailing list