[lxc-users] Privilege separation between containers
Serge E. Hallyn
serge at hallyn.com
Sun Dec 8 05:03:30 UTC 2019
On Tue, Dec 03, 2019 at 07:19:41PM +0100, Narcis Garcia wrote:
> __________
> I'm using this express-made address because personal addresses aren't
> masked enough at this mail public archive. Public archive administrator
> should fix this against automated addresses collectors.
> El 3/12/19 a les 18:53, Serge E. Hallyn ha escrit:
> > On Mon, Dec 02, 2019 at 08:34:33PM +0100, Narcis Garcia wrote:
> >> For my first LXC tests, I've created an "lxc" unprivileged account and
> >> "vhosts" group for it.
> >>
> >> One key of the unprivileged account is to not be same user as root one,
> >> of course. But what about when I'm using same unprivileged account for
> >> more that one container (VPS)?
> >
> > If you map the user's uid into the container, then if you are trying to
> > keep the container segragated, you'll need separate accounts to own each
> > container. Otherwise, you can just use different subuid ranges for each.
> >
>
> Sorry for my bad english (both to write and read):
> Here is an example:
>
> [host]$ ps -A -o pid,user,cmd | grep -ie lxc
> 658 root /usr/bin/lxcfs /var/lib/lxcfs/
> 12873 unpriv [lxc monitor] /home/unpriv/.local/share/lxc vps01
> 14246 unpriv [lxc monitor] /home/unpriv/.local/share/lxc vps02
> 15762 unpriv [lxc monitor] /home/unpriv/.local/share/lxc vps03
> 24076 root grep -ie lxc
>
> Can a guest from "vps01" access to resources of "vps02" because of using
> same host's user account?
It depends on how they are configured.
> [host]$ ps -A -o pid,user,cmd | grep 165641
> 13549 165641 /usr/sbin/exim4 -bd -q30m
> 15197 165641 /usr/sbin/exim4 -bd -q30m
Here they are running with the same subuid allocations, so if they can get
a reference to an object in another container (i.e. through a shared bind
mount) then they will have access.
See the description of lxc.idmap in lxc.container.conf(5)
> 24170 root grep 165641
>
> PID 13549 is from vps01 and PID 15197 is from vps02
> "165641" is the guest UID as seen by host.
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list