Quoting Patrick Toomey ([email protected]): > > Why is that? Are you bind-mounting /usr or / from the host? Generally > > if you've created a full container, the rootfs should be uid-shifted so that > > /usr/lib/sudo/sudoers.so should be owned by uid 0 in the container > > > > Yeah, I was using lxc-excute with "default isolation". I fully > understand/appreciate the downsides of not using a container will a > full rootfs, but I had a very specific use case in mind.
Sounds like a stackable filesystem that remaps file uids would give you what you need. (I'm not working on one, but several people have expressed a desire for it) > > Ok, so are you actually wanting to run programs on the host, as non-root > > user, inside a container? Or do you have a full container rootfs under > > ~/.local/share/lxc/$container/rootfs ? > > > > Yup, my goal was to just launch `some_random_command_line_utility` on > the host, as non-root, and apply a policy that provides some extra > assurances above/beyond (seccomp, no other valid uid mappings, > possibly an apparmor profile, etc) what executing the process as a low > privilege user would have on its own. > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
