On 08/01/16 19:58, Serge Hallyn wrote: > Quoting Carlos Alberto Lopez Perez (clo...@igalia.com): >> Hi, >> >> >> Suppose that we create an unprivileged container as root (using the >> download template or manually converting it with uidmapshift). >> >> Such container config will contain (for example) the following maps: >> >> lxc.id_map = u 0 100000 65536 >> lxc.id_map = g 0 100000 65536 >> >> And root would be also allowed to use them: >> >> $ usermod --add-subuids 100000-165536 root >> $ usermod --add-subgids 100000-165536 root >> >> >> My question is.... >> >> From a security point of view, does creating and starting an >> unprivileged container as root make any difference than doing it as any >> other user of the host? > > Yes. > > For example, if you'll then be running lxc-attach as root instead of as > an unpriv user, then any attacks from inside the container against lxc-attach > will attack the root user. >
Is this the only difference from a security point of view? Suppose that I don't use lxc-attach, but lxc-console or login via ssh.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
