[lxc-users] Separate sub(g)uid for each container?

Serge E. Hallyn serge at hallyn.com
Thu Feb 16 16:19:36 UTC 2017


Quoting mleuker (michael at leuker.me):
> I'm referencing John Siu's https://lists.linuxcontainers.org/pipermail/lxc-users/2016-February/010960.html which was never answered conclusively. My setup currently separates each unprivileged container with a different subuid / subguid range, e.g.
> 
> lxc1    1000000 65536
> lxc2    1100000 65536
> lxc3    1200000 65536
> ...
> 
> The question is whether there is any gain in security doing this or if running all containers with the same sub(g)uid offers enough protection with apparmor and lxcfs are enabled.

There is still a security gain.

> What for example happens if one of the containers is taken over? We know that
> the host is protected well enough since gaining root in the container doesn't
> help the attacker do much on the host. But could he or she use the breach as
> an attack vector against other containers *specifically* because they are
> running with the same sub(g)uid set?

Yes.

-serge


More information about the lxc-users mailing list