[lxc-users] Privilege separation between containers

Serge E. Hallyn serge at hallyn.com
Tue Dec 3 17:53:58 UTC 2019


On Mon, Dec 02, 2019 at 08:34:33PM +0100, Narcis Garcia wrote:
> For my first LXC tests, I've created an "lxc" unprivileged account and
> "vhosts" group for it.
> 
> One key of the unprivileged account is to not be same user as root one,
> of course. But what about when I'm using same unprivileged account for
> more that one container (VPS)?

If you map the user's uid into the container, then if you are trying to
keep the container segragated, you'll need separate accounts to own each
container.  Otherwise, you can just use different subuid ranges for each.

> I mean that, to be sure malicious user or program from one container, it
> hasn't permissions to access any to other container's resources, I
> suppose I should launch each unprivileged container with a different
> host's uid and gid.
> Am I right?
> 
> -- 
> 
> 
> __________
> I'm using this express-made address because personal addresses aren't
> masked enough at this mail public archive. Public archive administrator
> should fix this against automated addresses collectors.
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


More information about the lxc-users mailing list