Quoting Antoine Catton (acat...@tiolive.com): > Hi everybody, > > > I'm trying to start a container as user. After some patches, I managed > to have something working. > > lxc-start exec /sbin/init inside the container as expected. (My > container is a debian one, but it doesn't matter I think), since > sysvinit check if the current uid is root, it doesn't work. I get : > > $ lxc-start […] > > init: must be superuser. > > If I run : > > lxc-start […] /usr/bin/whoami > I get : > > /usr/bin/whoami: cannot find name for user ID [my user id] > > A successful workaround is to put a suid on /sbin/init inside the > container. But I would like to avoid it. Because, besides being dirty, > it allows anyone inside the container to run /sbin/init as root. > > I read lxc code, I didn't find any place where lxc-start used setuid(), > or changed uid before exec'ing. (Maybe I just didn't see it.) > > This makes me wondering two things… > – Is it possible to start/stop a container as user ? How'd you do it ? > – Do you use the kernel's user namespace ? How do you change user uid > before starting a container ?
The kernel's user namespace support is'nt quite sufficient yet (I will be checking later this week with a new version), but the patch I have for lxc will, if lxc.uidmap is specified in the config file, cause your container's /sbin/init to start as uid 0 in the container (mapped to uid whatever on the host). Hopefully a proof of concept will be working in the next few weeks, or at least before winter. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
