[lxc-users] permissions question: netstat -anp does not show process for non owned processes
Umberto Nicoletti
umberto.nicoletti at gmail.com
Tue May 3 19:05:56 UTC 2016
On Tue, May 3, 2016 at 6:49 PM, Serge Hallyn <serge.hallyn at ubuntu.com>
wrote:
> Quoting Umberto Nicoletti (umberto.nicoletti at gmail.com):
> > Hi all,
> > I am dipping my toes into LXC and I'm liking what I see so far.
> >
> > I have one question about privileges/security inside containers: I have
> > started a container and then accessed it with:
> >
> > lxc exec c1 /bin/bash
> >
> > If I run netstat -anp it will refuse to show me process information for
> > processes that I do not own (even though I appear to be root).
> >
> > For instance an haproxy instance listening on port 3000 appears as the
> > following (haproxy is running as user haproxy):
> >
> > root at c1:~# netstat -anp | grep 3000
> > (Not all processes could be identified, non-owned process info
> > will not be shown, you would have to be root to see it all.)
> > tcp 0 0 127.0.0.1:3000 0.0.0.0:*
> LISTEN
> > -
> >
> > I am running the latest lxc/lxd on Ubuntu 16.04.
> >
> > From what I have read I understand there is some uid mapping going on
> but I
> > was hoping someone could explain it to me or point me in the right
> > direction.
>
> If I understand your email right, you'll be interested in
>
> man 7 user_namespaces
>
> (also available at
> http://manpages.ubuntu.com/manpages/xenial/en/man7/user_namespaces.7.html
> )
>
> Indeed your container root is privileged with respect to the container's
> resources, but is not root on the host. /proc/self/uid_map will show
> how container uids are mapped. For instances if you have
>
> root at trusty-gui:/# cat /proc/self/uid_map
> 0 100000 65536
>
> then root (uid 0) in the container is uid 100000 on the host. It
> is privileged with respect to uids mapped into the container, which
> are host uids 100000-165535. The container root is not privileged
> against any task not owned by one of those host uids.
>
Thanks for taking the time to answer.
This makes sense, still I don't understand why netstat won't show the pid
and program for sockets owned by container processes like haproxy in my
previous example.
haproxy has uid 106 in the container which is mapped to uid 100106 on the
host so it should be among those manageable by uid 0 (in the container).
Umberto
>
> -serge
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160503/9b3dbcde/attachment.html>
More information about the lxc-users
mailing list