[lxc-users] Privilege separation between containers

[Narcis Garcia]

__________
I'm using this express-made address because personal addresses aren't
masked enough at this mail public archive. Public archive administrator
should fix this against automated addresses collectors.
El 3/12/19 a les 18:53, Serge E. Hallyn ha escrit:
> On Mon, Dec 02, 2019 at 08:34:33PM +0100, Narcis Garcia wrote:
>> For my first LXC tests, I've created an "lxc" unprivileged account and
>> "vhosts" group for it.
>>
>> One key of the unprivileged account is to not be same user as root one,
>> of course. But what about when I'm using same unprivileged account for
>> more that one container (VPS)?
> 
> If you map the user's uid into the container, then if you are trying to
> keep the container segragated, you'll need separate accounts to own each
> container.  Otherwise, you can just use different subuid ranges for each.
> 

Sorry for my bad english (both to write and read):
Here is an example:

[host]$ ps -A -o pid,user,cmd | grep -ie lxc
  658 root     /usr/bin/lxcfs /var/lib/lxcfs/
12873 unpriv   [lxc monitor] /home/unpriv/.local/share/lxc vps01
14246 unpriv   [lxc monitor] /home/unpriv/.local/share/lxc vps02
15762 unpriv   [lxc monitor] /home/unpriv/.local/share/lxc vps03
24076 root     grep -ie lxc

Can a guest from "vps01" access to resources of "vps02" because of using
same host's user account?

[host]$ ps -A -o pid,user,cmd | grep 165641
13549 165641   /usr/sbin/exim4 -bd -q30m
15197 165641   /usr/sbin/exim4 -bd -q30m
24170 root     grep 165641

PID 13549 is from vps01 and PID 15197 is from vps02
"165641" is the guest UID as seen by host.