[lxc-users] Separate sub(g)uid for each container?
Serge E. Hallyn
serge at hallyn.com
Thu Feb 16 16:19:36 UTC 2017
Quoting mleuker (michael at leuker.me):
> I'm referencing John Siu's https://lists.linuxcontainers.org/pipermail/lxc-users/2016-February/010960.html which was never answered conclusively. My setup currently separates each unprivileged container with a different subuid / subguid range, e.g.
>
> lxc1 1000000 65536
> lxc2 1100000 65536
> lxc3 1200000 65536
> ...
>
> The question is whether there is any gain in security doing this or if running all containers with the same sub(g)uid offers enough protection with apparmor and lxcfs are enabled.
There is still a security gain.
> What for example happens if one of the containers is taken over? We know that
> the host is protected well enough since gaining root in the container doesn't
> help the attacker do much on the host. But could he or she use the breach as
> an attack vector against other containers *specifically* because they are
> running with the same sub(g)uid set?
Yes.
-serge
More information about the lxc-users
mailing list