[lxc-users] Security gain: Start Unpriviledged container as root or as regular user?
georg at schorsch-tech.de
Sun Aug 18 10:36:51 UTC 2019
i use currently unprivileged lxc containers on debian buster started as
root. I use for every container a separate set of uid/gids.
If i start the container from root, the lxc-monitor is run by root on
the host. Init is on uid 100000 (seen from host).
If i start it as a regular user, lxc-monitor is run by uid 1000 and init
in the container is at 101000 (seen from host).
The containers are apache, postgres and postfix/courier. There are no
other users able to login via ssh. postgres is just the backend for the
NAME STATE AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED
mail RUNNING 1 - 192.xxx.xxx.xxx - true
postgres RUNNING 1 - 192.xxx.xxx.xxx - true
www RUNNING 1 - 192.xxx.xxx.xxx - true
Debian Buster uses LXC 3.1.0
Is in this setup any security gained, if the containers are started as a
separate user different that root on the host?
I would prefer to start them as root from /var/lib/lxc as a simple
lxc.auto.start = 1 let them be started at system boot.
More information about the lxc-users