[lxc-users] Privilege separation between containers

Serge E. Hallyn serge at hallyn.com
Sun Dec 8 05:03:30 UTC 2019 

On Tue, Dec 03, 2019 at 07:19:41PM +0100, Narcis Garcia wrote:
> __________
> I'm using this express-made address because personal addresses aren't
> masked enough at this mail public archive. Public archive administrator
> should fix this against automated addresses collectors.
> El 3/12/19 a les 18:53, Serge E. Hallyn ha escrit:
> > On Mon, Dec 02, 2019 at 08:34:33PM +0100, Narcis Garcia wrote:
> >> For my first LXC tests, I've created an "lxc" unprivileged account and
> >> "vhosts" group for it.
> >>
> >> One key of the unprivileged account is to not be same user as root one,
> >> of course. But what about when I'm using same unprivileged account for
> >> more that one container (VPS)?
> > 
> > If you map the user's uid into the container, then if you are trying to
> > keep the container segragated, you'll need separate accounts to own each
> > container.  Otherwise, you can just use different subuid ranges for each.
> > 
> 
> Sorry for my bad english (both to write and read):
> Here is an example:
> 
> [host]$ ps -A -o pid,user,cmd | grep -ie lxc
>   658 root     /usr/bin/lxcfs /var/lib/lxcfs/
> 12873 unpriv   [lxc monitor] /home/unpriv/.local/share/lxc vps01
> 14246 unpriv   [lxc monitor] /home/unpriv/.local/share/lxc vps02
> 15762 unpriv   [lxc monitor] /home/unpriv/.local/share/lxc vps03
> 24076 root     grep -ie lxc
> 
> Can a guest from "vps01" access to resources of "vps02" because of using
> same host's user account?

It depends on how they are configured.

> [host]$ ps -A -o pid,user,cmd | grep 165641
> 13549 165641   /usr/sbin/exim4 -bd -q30m
> 15197 165641   /usr/sbin/exim4 -bd -q30m

Here they are running with the same subuid allocations, so if they can get
a reference to an object in another container (i.e. through a shared bind
mount) then they will have access.

See the description of lxc.idmap in lxc.container.conf(5)

> 24170 root     grep 165641
> 
> PID 13549 is from vps01 and PID 15197 is from vps02
> "165641" is the guest UID as seen by host.
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list