[lxc-users] is starting unprivileged containers as root as secure as running them as any other user?
Carlos Alberto Lopez Perez
clopez at igalia.com
Fri Jan 8 14:25:42 UTC 2016
Hi,
Suppose that we create an unprivileged container as root (using the
download template or manually converting it with uidmapshift).
Such container config will contain (for example) the following maps:
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
And root would be also allowed to use them:
$ usermod --add-subuids 100000-165536 root
$ usermod --add-subgids 100000-165536 root
My question is....
From a security point of view, does creating and starting an
unprivileged container as root make any difference than doing it as any
other user of the host?
My understanding is that once the unprivileged container is running,
root inside such container won't be able to get a host_uid < 100000 (in
this example) so starting the unprivileged container as root will be as
secure as starting the container as any other user that is allowed to do
so via the subuid/subgid maps. Is this right?
Thanks.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 883 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160108/0e8bf318/attachment.sig>
More information about the lxc-users
mailing list