[lxc-users] permissions question: netstat -anp does not show process for non owned processes
Serge Hallyn
serge.hallyn at ubuntu.com
Tue May 3 16:49:01 UTC 2016
Quoting Umberto Nicoletti (umberto.nicoletti at gmail.com):
> Hi all,
> I am dipping my toes into LXC and I'm liking what I see so far.
>
> I have one question about privileges/security inside containers: I have
> started a container and then accessed it with:
>
> lxc exec c1 /bin/bash
>
> If I run netstat -anp it will refuse to show me process information for
> processes that I do not own (even though I appear to be root).
>
> For instance an haproxy instance listening on port 3000 appears as the
> following (haproxy is running as user haproxy):
>
> root at c1:~# netstat -anp | grep 3000
> (Not all processes could be identified, non-owned process info
> will not be shown, you would have to be root to see it all.)
> tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN
> -
>
> I am running the latest lxc/lxd on Ubuntu 16.04.
>
> From what I have read I understand there is some uid mapping going on but I
> was hoping someone could explain it to me or point me in the right
> direction.
If I understand your email right, you'll be interested in
man 7 user_namespaces
(also available at http://manpages.ubuntu.com/manpages/xenial/en/man7/user_namespaces.7.html )
Indeed your container root is privileged with respect to the container's
resources, but is not root on the host. /proc/self/uid_map will show
how container uids are mapped. For instances if you have
root at trusty-gui:/# cat /proc/self/uid_map
0 100000 65536
then root (uid 0) in the container is uid 100000 on the host. It
is privileged with respect to uids mapped into the container, which
are host uids 100000-165535. The container root is not privileged
against any task not owned by one of those host uids.
-serge
More information about the lxc-users
mailing list