[lxc-users] Samba4 DC in an unprivileged container

Stéphane Graber stgraber at ubuntu.com
Wed Feb 7 17:18:10 UTC 2018 

On Wed, Feb 07, 2018 at 06:28:50PM +0300, Andrey Repin wrote:
> Greetings, Frank Dornheim!
> 
> > im trying to setup a Samba4 AD in a unprivileged container:
> >  
> >  
> >  
> > My OS is a ubuntu 17.10 server an my container is a ubuntu 17.10.
> >  
> > My lxd version is:
> >  
> >  Package: lxd 
> >  Version: 2.18-0ubuntu6
> 
> > First, I have a working setup as a "privileged container".
> >  
> > But I want to secure my installation and transfer samba4 in an unprivileged container.
> 
> Unprivileged containers are no more secure than privileged containers,
> generally speaking.

Hmm, what?

A privileged container has uid 0 in the container be uid 0 at the kernel level.
An unprivileged container has uid 0 in the container mapped to uid
100000 at the kernel level.

Unprivileged containers are MASSIVELY more secure than privileged containers.
There are numerous ways to escape a privileged container which just down
to the fact that you are running with full kernel privileges and so
entirely rely on things like capabilities and LSMs to protect your
system.

Unprivileged containers on the other hand are safe by-design. An attack
which would allow root in an unprivileged container to escape to the
host, would also be a user to root privilege escalation but for every
normal Linux systems. There are some of those every so often, they are
critical kernel security bugs and they do get fixed very quickly.

Unprivileged containers do not need a perfectly configured seccomp,
apparmor, capabilities set or cgroups to be safe, all of those are
merely extra safety nets in case the main privilege enforcement (user
namespace) fails due to a critical kernel security bug.

> > I get the lower error message when I do the setup with samba-tool domain provision.
> 
> Can you post your smb.conf before provisioning?
> 
> 
> -- 
> With best regards,
> Andrey Repin
> Wednesday, February 7, 2018 18:26:59
> 
> Sorry for my terrible english...
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20180207/fcab0d8f/attachment.sig>

More information about the lxc-users mailing list