[lxc-users] Is there any advantage to use separate subuid and subguid for each container?
John Siu
john.sd.siu at gmail.com
Mon Feb 15 07:20:30 UTC 2016
I am thinking more about container accessing another container, instead of container accessing the host. So it is like drilling a hole on the wall to next door, instead of drilling the floor to access the lobby. Or are they actually equivalent?
John
> On Feb 15, 2016, at 01:01, Fajar A. Nugraha <list at fajar.net> wrote:
>
> On Mon, Feb 15, 2016 at 11:56 AM, John Siu <john.sd.siu at gmail.com <mailto:john.sd.siu at gmail.com>> wrote:
> Is there any advantage to use separate subuid and subguid for each container?
>
> For example, when multiple unprivileged containers with the same subuid 100000, ps will show something like the following:
>
> One cannot tell which process is owned by which container.
>
>
> ps -ea -O cgroup:50
>
>
> Additionally, using the same subuid, is there any concern about one container gaining access to the other containers? Or is this not a problem at all?
>
>
> in theory, yes, AFAIK that is a possibility. If somehow a process manage to break out of the container, it might be able to do stuff in the host as an unpriviliged user.
>
> I haven't seen any attacks like that on recent systems though. In particular, with apparmor and lxcfs enabled, you should get an additional layer of security. So personally I find it's still acceptable for multiple unpriv containers to share the same subuid.
>
> --
> Fajar
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160215/72407c03/attachment-0001.html>
More information about the lxc-users
mailing list