On Tue, Dec 03, 2019 at 07:19:41PM +0100, Narcis Garcia wrote: > __________ > I'm using this express-made address because personal addresses aren't > masked enough at this mail public archive. Public archive administrator > should fix this against automated addresses collectors. > El 3/12/19 a les 18:53, Serge E. Hallyn ha escrit: > > On Mon, Dec 02, 2019 at 08:34:33PM +0100, Narcis Garcia wrote: > >> For my first LXC tests, I've created an "lxc" unprivileged account and > >> "vhosts" group for it. > >> > >> One key of the unprivileged account is to not be same user as root one, > >> of course. But what about when I'm using same unprivileged account for > >> more that one container (VPS)? > > > > If you map the user's uid into the container, then if you are trying to > > keep the container segragated, you'll need separate accounts to own each > > container. Otherwise, you can just use different subuid ranges for each. > > > > Sorry for my bad english (both to write and read): > Here is an example: > > [host]$ ps -A -o pid,user,cmd | grep -ie lxc > 658 root /usr/bin/lxcfs /var/lib/lxcfs/ > 12873 unpriv [lxc monitor] /home/unpriv/.local/share/lxc vps01 > 14246 unpriv [lxc monitor] /home/unpriv/.local/share/lxc vps02 > 15762 unpriv [lxc monitor] /home/unpriv/.local/share/lxc vps03 > 24076 root grep -ie lxc > > Can a guest from "vps01" access to resources of "vps02" because of using > same host's user account?
It depends on how they are configured. > [host]$ ps -A -o pid,user,cmd | grep 165641 > 13549 165641 /usr/sbin/exim4 -bd -q30m > 15197 165641 /usr/sbin/exim4 -bd -q30m Here they are running with the same subuid allocations, so if they can get a reference to an object in another container (i.e. through a shared bind mount) then they will have access. See the description of lxc.idmap in lxc.container.conf(5) > 24170 root grep 165641 > > PID 13549 is from vps01 and PID 15197 is from vps02 > "165641" is the guest UID as seen by host. > _______________________________________________ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
