Hmm, this is interesting. I am runnung my container from the unprivileged user 'lxduser' and yet:
root@qumind:~# ps -ef | grep '[l]xc monitor' root 7609 1 0 11:54 ? 00:00:00 [lxc monitor] /var/lib/lxd/containers pgroonga What is wrong here? -----"lxc-users" <lxc-users-boun...@lists.linuxcontainers.org> wrote: ----- To: LXC users mailing-list <lxc-users@lists.linuxcontainers.org> From: Serge Hallyn Sent by: "lxc-users" Date: 01/11/2016 19:00 Subject: Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user? Quoting Carlos Alberto Lopez Perez (clo...@igalia.com): > On 08/01/16 19:58, Serge Hallyn wrote: > > Quoting Carlos Alberto Lopez Perez (clo...@igalia.com): > >> Hi, > >> > >> > >> Suppose that we create an unprivileged container as root (using the > >> download template or manually converting it with uidmapshift). > >> > >> Such container config will contain (for example) the following maps: > >> > >> lxc.id_map = u 0 100000 65536 > >> lxc.id_map = g 0 100000 65536 > >> > >> And root would be also allowed to use them: > >> > >> $ usermod --add-subuids 100000-165536 root > >> $ usermod --add-subgids 100000-165536 root > >> > >> > >> My question is.... > >> > >> From a security point of view, does creating and starting an > >> unprivileged container as root make any difference than doing it as any > >> other user of the host? > > > > Yes. > > > > For example, if you'll then be running lxc-attach as root instead of as > > an unpriv user, then any attacks from inside the container against > > lxc-attach > > will attack the root user. > > > > Is this the only difference from a security point of view? > Suppose that I don't use lxc-attach, but lxc-console or login via ssh. The monitor (look for "[lxc monitor]" in process listing) runs with your uid. So if there were a way for the container to make the lxc monitor execute code, it would be privilege escalation. _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users