Hi a brief question from somebody uninitiated: would, from a security point of view, running a privileged container with (mapped) subuids - and a subuid'ed root in particular - be roughly as good as running an unprivileged one?
I mean, the processes running inside the container would still be unprivileged, with only lxc-start being owned by the host's root. Or would possible attack surfaces in namespace isolation make a noticeable difference here? I'm asking since, as root, I'm guessing it might be easier to map select devices - like OSS audio - into a container, even when mapping uids too, which seems to be pretty much impossible to do with unprivileged containers (for good reason, obviously). On the other hand would I really like to try running everything as tight as possible, so that's why the question. To understand what the tradeoff might be. Thanks, R. _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
