On Sun, Aug 18, 2019 at 5:36 PM Georg Gast <ge...@schorsch-tech.de> wrote:
> Hi, > > i use currently unprivileged lxc containers on debian buster started as > root. I use for every container a separate set of uid/gids. > > > Debian Buster uses LXC 3.1.0 > > Is in this setup any security gained, if the containers are started as a > separate user different that root on the host? > > In general, yes. It should at least protect you from possible security issues in lxc-monitor. However even if you do that, IIRC some processes still need to run as root (or with suid binary), e.g. lxcfs and lxc-user-nic. So you'd still be vulnerable if there are security issues in those processes. > I would prefer to start them as root from /var/lib/lxc as a simple > lxc.auto.start = 1 let them be started at system boot. > > Generally you'd choose a mix between acceptable levels of ease - performance - security. Personally, for your usecase, instead of using lxc directly, I recommend you install snapd (and lxd from snap package) or build lxd yourself (if you don't want to use snap). Use suitable storage backend (e.g. zfs/btrfs/lvm). Then enable security.idmap.isolated. This way you still get separate u/gids per container while enabling automation for some container administration process (e.g assigning u/gids, autostart, copying/backing up containers, etc). -- Fajar
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users