Quoting Christian Brauner ([email protected]): > Hello, > > I do the following in my ~/.config/lxc/default.conf: > > # Container specific configuration > lxc.id_map = u 1001 101001 64535 > lxc.id_map = g 1001 101001 64535 > # uid and gid 1000 isn’t translated so that the container can access the > # X socket and dri and snd and video0 devices > lxc.id_map = u 0 100000 1000 > lxc.id_map = g 0 100000 1000 > lxc.id_map = u 1000 1000 1 > lxc.id_map = g 1000 1000 1 > > I was wondering compared to an unprivileged container where I simply > map: > > lxc.id_map=u 0 100000 65536 > lxc.id_map=g 0 100000 65536 > > 1) Am I significantly more vulnerable when I preserve the uid/gid of my > unprivileged user on the host for my user in the container?
Yes. It introduces a whole new class of vulnerability, where the container root owns all of your own files. At the same time it is still significantly (and even more significantly) safer than having root in the container be the same as root on the host :) > 2) And is there a different solution which would allow me to grant > access to the sound and video devices in /dev/snd and /dev/dri to the > user in my unprivileged container while still preserving the standard > mapping: > > lxc.id_map=u 0 100000 65536 > lxc.id_map=g 0 100000 65536 You can use pulse to forward the sound over the network. For dri, I don't know thta there is. _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
