[lxc-users] Is there any advantage to use separate subuid and subguid for each container?

Fajar A. Nugraha list at fajar.net
Mon Feb 15 06:01:43 UTC 2016


On Mon, Feb 15, 2016 at 11:56 AM, John Siu <john.sd.siu at gmail.com> wrote:

> Is there any advantage to use separate subuid and subguid for each
> container?
>
> For example, when multiple unprivileged containers with the same subuid
> 100000, ps will show something like the following:
>
> One cannot tell which process is owned by which container.
>
>
ps -ea -O cgroup:50



> Additionally, using the same subuid, is there any concern about one
> container gaining access to the other containers? Or is this not a problem
> at all?
>
>
in theory, yes, AFAIK that is a possibility. If somehow a process manage to
break out of the container, it might be able to do stuff in the host as an
unpriviliged user.

I haven't seen any attacks like that on recent systems though. In
particular, with apparmor and lxcfs enabled, you should get an additional
layer of security. So personally I find it's still acceptable for multiple
unpriv containers to share the same subuid.

-- 
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160215/899eb09f/attachment.html>


More information about the lxc-users mailing list