[lxc-users] Privilege separation between containers
Narcis Garcia
debianlists at actiu.net
Tue Dec 3 18:19:41 UTC 2019
__________
I'm using this express-made address because personal addresses aren't
masked enough at this mail public archive. Public archive administrator
should fix this against automated addresses collectors.
El 3/12/19 a les 18:53, Serge E. Hallyn ha escrit:
> On Mon, Dec 02, 2019 at 08:34:33PM +0100, Narcis Garcia wrote:
>> For my first LXC tests, I've created an "lxc" unprivileged account and
>> "vhosts" group for it.
>>
>> One key of the unprivileged account is to not be same user as root one,
>> of course. But what about when I'm using same unprivileged account for
>> more that one container (VPS)?
>
> If you map the user's uid into the container, then if you are trying to
> keep the container segragated, you'll need separate accounts to own each
> container. Otherwise, you can just use different subuid ranges for each.
>
Sorry for my bad english (both to write and read):
Here is an example:
[host]$ ps -A -o pid,user,cmd | grep -ie lxc
658 root /usr/bin/lxcfs /var/lib/lxcfs/
12873 unpriv [lxc monitor] /home/unpriv/.local/share/lxc vps01
14246 unpriv [lxc monitor] /home/unpriv/.local/share/lxc vps02
15762 unpriv [lxc monitor] /home/unpriv/.local/share/lxc vps03
24076 root grep -ie lxc
Can a guest from "vps01" access to resources of "vps02" because of using
same host's user account?
[host]$ ps -A -o pid,user,cmd | grep 165641
13549 165641 /usr/sbin/exim4 -bd -q30m
15197 165641 /usr/sbin/exim4 -bd -q30m
24170 root grep 165641
PID 13549 is from vps01 and PID 15197 is from vps02
"165641" is the guest UID as seen by host.
More information about the lxc-users
mailing list