[lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

[david.andel at bli.uzh.ch]

So  if I understood correctly, this means that lxd could potentially suffer from a weakness in 'lxc monitor' meaning that it is more secure to run unprivileged containers using the low level lxc-... functions?

-----"lxc-users" <lxc-users-bounces at lists.linuxcontainers.org> wrote: -----
To: LXC users mailing-list <lxc-users at lists.linuxcontainers.org>
From: Serge Hallyn 
Sent by: "lxc-users" 
Date: 01/11/2016 23:36
Subject: Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

Quoting Carlos Alberto Lopez Perez (clopez at igalia.com):
> On 11/01/16 23:13, Serge Hallyn wrote:
> > Quoting david.andel at bli.uzh.ch (david.andel at bli.uzh.ch):
> >>  Hmm, this is interesting.
> >> I am runnung my container from the unprivileged user 'lxduser' and yet:
> >>
> >> root at qumind:~# ps -ef | grep '[l]xc monitor'
> >> root      7609     1  0 11:54 ?        00:00:00 [lxc monitor] /var/lib/lxd/containers pgroonga
> >>
> >> What is wrong here?
> > 
> > You're using lxd.  Lxd runs as root.  You are not starting the
> > containers as 'lxduser' - you are making requests as 'lxduser' for
> > the root-owned process 'lxd' to start the containers.
> 
> I understood that LXD uses unprivileged containers by default...
> 
> Does this mean that LXD is starting the unprivileged containers as root?

yes.  It does many things which an unprivileged user cannot do, so it has
to run as root.

The lxc-attach weakness I mentioned does not apply to 'lxc exec', because
lxd interposes a pty between your console and the container's.
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160112/6264324b/attachment.html>