[lxc-users] permissions question: netstat -anp does not show process for non owned processes
Umberto Nicoletti
umberto.nicoletti at gmail.com
Tue May 3 19:26:29 UTC 2016
btw I just checked and this behaviour breaks some haproxyctl functions (at
least those relying on /proc)
On Tue, May 3, 2016 at 9:05 PM, Umberto Nicoletti <
umberto.nicoletti at gmail.com> wrote:
> On Tue, May 3, 2016 at 6:49 PM, Serge Hallyn <serge.hallyn at ubuntu.com>
> wrote:
>
>> Quoting Umberto Nicoletti (umberto.nicoletti at gmail.com):
>> > Hi all,
>> > I am dipping my toes into LXC and I'm liking what I see so far.
>> >
>> > I have one question about privileges/security inside containers: I have
>> > started a container and then accessed it with:
>> >
>> > lxc exec c1 /bin/bash
>> >
>> > If I run netstat -anp it will refuse to show me process information for
>> > processes that I do not own (even though I appear to be root).
>> >
>> > For instance an haproxy instance listening on port 3000 appears as the
>> > following (haproxy is running as user haproxy):
>> >
>> > root at c1:~# netstat -anp | grep 3000
>> > (Not all processes could be identified, non-owned process info
>> > will not be shown, you would have to be root to see it all.)
>> > tcp 0 0 127.0.0.1:3000 0.0.0.0:*
>> LISTEN
>> > -
>> >
>> > I am running the latest lxc/lxd on Ubuntu 16.04.
>> >
>> > From what I have read I understand there is some uid mapping going on
>> but I
>> > was hoping someone could explain it to me or point me in the right
>> > direction.
>>
>> If I understand your email right, you'll be interested in
>>
>> man 7 user_namespaces
>>
>> (also available at
>> http://manpages.ubuntu.com/manpages/xenial/en/man7/user_namespaces.7.html
>> )
>>
>> Indeed your container root is privileged with respect to the container's
>> resources, but is not root on the host. /proc/self/uid_map will show
>> how container uids are mapped. For instances if you have
>>
>> root at trusty-gui:/# cat /proc/self/uid_map
>> 0 100000 65536
>>
>> then root (uid 0) in the container is uid 100000 on the host. It
>> is privileged with respect to uids mapped into the container, which
>> are host uids 100000-165535. The container root is not privileged
>> against any task not owned by one of those host uids.
>>
>
> Thanks for taking the time to answer.
>
> This makes sense, still I don't understand why netstat won't show the pid
> and program for sockets owned by container processes like haproxy in my
> previous example.
>
> haproxy has uid 106 in the container which is mapped to uid 100106 on the
> host so it should be among those manageable by uid 0 (in the container).
>
> Umberto
>
>
>>
>> -serge
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160503/ff38b0b6/attachment.html>
More information about the lxc-users
mailing list