On Wed, Feb 07, 2018 at 06:28:50PM +0300, Andrey Repin wrote: > Greetings, Frank Dornheim! > > > im trying to setup a Samba4 AD in a unprivileged container: > > > > > > > > My OS is a ubuntu 17.10 server an my container is a ubuntu 17.10. > > > > My lxd version is: > > > > Package: lxd > > Version: 2.18-0ubuntu6 > > > First, I have a working setup as a "privileged container". > > > > But I want to secure my installation and transfer samba4 in an unprivileged > > container. > > Unprivileged containers are no more secure than privileged containers, > generally speaking.
Hmm, what? A privileged container has uid 0 in the container be uid 0 at the kernel level. An unprivileged container has uid 0 in the container mapped to uid 100000 at the kernel level. Unprivileged containers are MASSIVELY more secure than privileged containers. There are numerous ways to escape a privileged container which just down to the fact that you are running with full kernel privileges and so entirely rely on things like capabilities and LSMs to protect your system. Unprivileged containers on the other hand are safe by-design. An attack which would allow root in an unprivileged container to escape to the host, would also be a user to root privilege escalation but for every normal Linux systems. There are some of those every so often, they are critical kernel security bugs and they do get fixed very quickly. Unprivileged containers do not need a perfectly configured seccomp, apparmor, capabilities set or cgroups to be safe, all of those are merely extra safety nets in case the main privilege enforcement (user namespace) fails due to a critical kernel security bug. > > I get the lower error message when I do the setup with samba-tool domain > > provision. > > Can you post your smb.conf before provisioning? > > > -- > With best regards, > Andrey Repin > Wednesday, February 7, 2018 18:26:59 > > Sorry for my terrible english... > > _______________________________________________ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: PGP signature
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
