Hi,
Suppose that we create an unprivileged container as root (using the download template or manually converting it with uidmapshift). Such container config will contain (for example) the following maps: lxc.id_map = u 0 100000 65536 lxc.id_map = g 0 100000 65536 And root would be also allowed to use them: $ usermod --add-subuids 100000-165536 root $ usermod --add-subgids 100000-165536 root My question is.... From a security point of view, does creating and starting an unprivileged container as root make any difference than doing it as any other user of the host? My understanding is that once the unprivileged container is running, root inside such container won't be able to get a host_uid < 100000 (in this example) so starting the unprivileged container as root will be as secure as starting the container as any other user that is allowed to do so via the subuid/subgid maps. Is this right? Thanks.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
