[lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

david.andel at bli.uzh.ch david.andel at bli.uzh.ch
Mon Jan 11 19:42:54 UTC 2016


 Hmm, this is interesting.
I am runnung my container from the unprivileged user 'lxduser' and yet:

root at qumind:~# ps -ef | grep '[l]xc monitor'
root      7609     1  0 11:54 ?        00:00:00 [lxc monitor] /var/lib/lxd/containers pgroonga

What is wrong here?


-----"lxc-users" <lxc-users-bounces at lists.linuxcontainers.org> wrote: -----
To: LXC users mailing-list <lxc-users at lists.linuxcontainers.org>
From: Serge Hallyn 
Sent by: "lxc-users" 
Date: 01/11/2016 19:00
Subject: Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

Quoting Carlos Alberto Lopez Perez (clopez at igalia.com):
> On 08/01/16 19:58, Serge Hallyn wrote:
> > Quoting Carlos Alberto Lopez Perez (clopez at igalia.com):
> >> Hi,
> >>
> >>
> >> Suppose that we create an unprivileged container as root (using the
> >> download template or manually converting it with uidmapshift).
> >>
> >> Such container config will contain (for example) the following maps:
> >>
> >> lxc.id_map = u 0 100000 65536
> >> lxc.id_map = g 0 100000 65536
> >>
> >> And root would be also allowed to use them:
> >>
> >> $ usermod --add-subuids 100000-165536 root
> >> $ usermod --add-subgids 100000-165536 root
> >>
> >>
> >> My question is....
> >>
> >> From a security point of view, does creating and starting an
> >> unprivileged container as root make any difference than doing it as any
> >> other user of the host?
> > 
> > Yes.
> > 
> > For example, if you'll then be running lxc-attach as root instead of as
> > an unpriv user, then any attacks from inside the container against lxc-attach
> > will attack the root user.
> > 
> 
> Is this the only difference from a security point of view?
> Suppose that I don't use lxc-attach, but lxc-console or login via ssh.

The monitor (look for "[lxc monitor]" in process listing) runs with your
uid.  So if there were a way for the container to make the lxc monitor
execute code, it would be privilege escalation.
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160111/bc5929b3/attachment.html>


More information about the lxc-users mailing list