[lxc-users] Owner of an unprivileged container
Hello, I run several containers on my server and, following the security advices, they are unprivileged. Each container belongs to one user and I am asking myself if this is a "good practice"... Thus my question is if there are some differences between: - an unprivileged container owned by root with 'lxc.id_map' in its config file to make it unprivileged, - a similar unprivileged container but owned by a classical user. From the practical point of view, I have to admit that a container owned by root is easier to handle but, from the security point of view, is it more safe to give the unprivileged container to an user than to root? Or is the namespace sufficient to avoid escape from an unprivileged container that belongs to root? What are your "good practices" in the matter? All belong to root? All belong to one devoted user? Or, as what I do, one user for one container? Thanks, Xavier ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Owner of an unprivileged container
Quoting Xavier Gendre (gendre.rei...@gmail.com): > Hello, > > I run several containers on my server and, following the security > advices, they are unprivileged. Each container belongs to one user > and I am asking myself if this is a "good practice"... > > Thus my question is if there are some differences between: > - an unprivileged container owned by root with 'lxc.id_map' in its > config file to make it unprivileged, > - a similar unprivileged container but owned by a classical user. > > From the practical point of view, I have to admit that a container > owned by root is easier to handle but, from the security point of > view, is it more safe to give the unprivileged container to an user > than to root? Or is the namespace sufficient to avoid escape from an > unprivileged container that belongs to root? The main difference would be that the container startup and the container monitor end up running as root if started by root. This is a pretty small, but not zero, attack surface. > What are your "good practices" in the matter? All belong to root? > All belong to one devoted user? Or, as what I do, one user for one > container? Currently that's probably mainly decided by practicality. If you want to use an encrypted lvm backing store (I do) then you need to have root start the container. The biggest advantage in my opinion of using fully unprivileged containers (starting them as non-root user) is so that users other than you can create/start them without having root access. Failing that, I still prefer to use fully unpriv containers myself when possible, to reduce the amount of time I spend as root. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Owner of an unprivileged container
Hi Serge, is there any standard implementation for starting user-unprivileged containers at boot? I am not talking about containers which are uidmapped (and started) by root to be unprivileged. I mean containers which are created by unprivileged users in their home dirs. Tnx for info, b. On 3 April 2015 at 23:46, Serge Hallyn wrote: > Quoting Xavier Gendre (gendre.rei...@gmail.com): > > Hello, > > > > I run several containers on my server and, following the security > > advices, they are unprivileged. Each container belongs to one user > > and I am asking myself if this is a "good practice"... > > > > Thus my question is if there are some differences between: > > - an unprivileged container owned by root with 'lxc.id_map' in its > > config file to make it unprivileged, > > - a similar unprivileged container but owned by a classical user. > > > > From the practical point of view, I have to admit that a container > > owned by root is easier to handle but, from the security point of > > view, is it more safe to give the unprivileged container to an user > > than to root? Or is the namespace sufficient to avoid escape from an > > unprivileged container that belongs to root? > > The main difference would be that the container startup and the > container monitor end up running as root if started by root. This > is a pretty small, but not zero, attack surface. > > > What are your "good practices" in the matter? All belong to root? > > All belong to one devoted user? Or, as what I do, one user for one > > container? > > Currently that's probably mainly decided by practicality. If you > want to use an encrypted lvm backing store (I do) then you need > to have root start the container. The biggest advantage in my > opinion of using fully unprivileged containers (starting them as > non-root user) is so that users other than you can create/start > them without having root access. Failing that, I still prefer to > use fully unpriv containers myself when possible, to reduce the > amount of time I spend as root. > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Owner of an unprivileged container
Quoting Bostjan Skufca (bost...@a2o.si): > Hi Serge, > > is there any standard implementation for starting user-unprivileged > containers at boot? I am not talking about containers which are uidmapped No - that's another reason to use root-owned unprivileged containers. You could write your own boot scripts to do it, but right now there is no standardized support for it. Hopefully we can talk about how to do that properly with a systemd unit and lxc-autostart soon. > (and started) by root to be unprivileged. I mean containers which are > created by unprivileged users in their home dirs. > > Tnx for info, > b. > > > On 3 April 2015 at 23:46, Serge Hallyn wrote: > > > Quoting Xavier Gendre (gendre.rei...@gmail.com): > > > Hello, > > > > > > I run several containers on my server and, following the security > > > advices, they are unprivileged. Each container belongs to one user > > > and I am asking myself if this is a "good practice"... > > > > > > Thus my question is if there are some differences between: > > > - an unprivileged container owned by root with 'lxc.id_map' in its > > > config file to make it unprivileged, > > > - a similar unprivileged container but owned by a classical user. > > > > > > From the practical point of view, I have to admit that a container > > > owned by root is easier to handle but, from the security point of > > > view, is it more safe to give the unprivileged container to an user > > > than to root? Or is the namespace sufficient to avoid escape from an > > > unprivileged container that belongs to root? > > > > The main difference would be that the container startup and the > > container monitor end up running as root if started by root. This > > is a pretty small, but not zero, attack surface. > > > > > What are your "good practices" in the matter? All belong to root? > > > All belong to one devoted user? Or, as what I do, one user for one > > > container? > > > > Currently that's probably mainly decided by practicality. If you > > want to use an encrypted lvm backing store (I do) then you need > > to have root start the container. The biggest advantage in my > > opinion of using fully unprivileged containers (starting them as > > non-root user) is so that users other than you can create/start > > them without having root access. Failing that, I still prefer to > > use fully unpriv containers myself when possible, to reduce the > > amount of time I spend as root. > > ___ > > lxc-users mailing list > > lxc-users@lists.linuxcontainers.org > > http://lists.linuxcontainers.org/listinfo/lxc-users > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Owner of an unprivileged container
Hi Serge, Le 03/04/2015 23:46, Serge Hallyn a écrit : Quoting Xavier Gendre (gendre.rei...@gmail.com): Hello, I run several containers on my server and, following the security advices, they are unprivileged. Each container belongs to one user and I am asking myself if this is a "good practice"... Thus my question is if there are some differences between: - an unprivileged container owned by root with 'lxc.id_map' in its config file to make it unprivileged, - a similar unprivileged container but owned by a classical user. From the practical point of view, I have to admit that a container owned by root is easier to handle but, from the security point of view, is it more safe to give the unprivileged container to an user than to root? Or is the namespace sufficient to avoid escape from an unprivileged container that belongs to root? The main difference would be that the container startup and the container monitor end up running as root if started by root. This is a pretty small, but not zero, attack surface. Thank you for these security informations. Indeed, this is not a zero attack surface but i have to admit that this is a sufficiently small one for my little server. What are your "good practices" in the matter? All belong to root? All belong to one devoted user? Or, as what I do, one user for one container? Currently that's probably mainly decided by practicality. If you want to use an encrypted lvm backing store (I do) then you need to have root start the container. The biggest advantage in my opinion of using fully unprivileged containers (starting them as non-root user) is so that users other than you can create/start them without having root access. Failing that, I still prefer to use fully unpriv containers myself when possible, to reduce the amount of time I spend as root. I have discussed about that with some people in the irc chan #lxcontainers and i agree with you. Unprivileged root-owned containers are quite unavoidable for some particular usage. In the future, i will keep the simple containers as user-owned and put the complicated ones as root-owned. Anyway, i will deal with some trade-off between root and user ownership ;-) Thx, Xavier ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users