[lxc-users] Is an unprivileged LXC where the host user itself is mapped to 0 less secure of one where one of its subids is mapped to 0, and why?

Serge Hallyn serge.hallyn at ubuntu.com
Wed Sep 30 17:38:10 UTC 2015


Quoting Fabio Tudone (fabio at paralleluniverse.co) (fabio at paralleluniverse.co):
> I really meant unprivileged containers created for example by the
> download template.
> 
> Usually subuids have an empty set of capabilities on the host, which
> means that even if they were accessing host resources they wouldn't
> be able to do much, so they are effectively "jailed". On the other
> hand if a regular host's user is mapped into the container it would
> theoretically be able to access host resources with the same
> capabilities granted to the host's user, isn't it?

No.  So long as the container has an lxc.id_map entry, it will run
in a private user namespace, and will have no capabilities with respect
to the host.  It will have full caps wrt any uids mapped into the
container, and any resources created by the container.

> On a more practical level what could be the security implications?
> Are there host resources that a malicious program could compromise
> when running in a container with the capabilities of a regular host
> user mapped in there? Even because of (hypothetical) system issues /
> bugs / vulnerabilities. Can someone think of actual examples?

yes.


More information about the lxc-users mailing list