Since LXD is starting the unprivileged containers as root, does that mean that from a security point of view there is no difference between running the 'lxc' commands from a user which is member of the 'sudo' group and a user which is not? For plain LXC I've understood that it is more secure to run as a user which is not member of the 'sudo' group. That doesn't seem to be the case to LXD anymore. Is that correct?
-----"lxc-users" <[email protected]> wrote: ----- To: LXC users mailing-list <[email protected]> From: Serge Hallyn Sent by: "lxc-users" Date: 01/11/2016 23:36 Subject: Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user? Quoting Carlos Alberto Lopez Perez ([email protected]): > On 11/01/16 23:13, Serge Hallyn wrote: > > Quoting [email protected] ([email protected]): > >> Hmm, this is interesting. > >> I am runnung my container from the unprivileged user 'lxduser' and yet: > >> > >> root@qumind:~# ps -ef | grep '[l]xc monitor' > >> root 7609 1 0 11:54 ? 00:00:00 [lxc monitor] > >> /var/lib/lxd/containers pgroonga > >> > >> What is wrong here? > > > > You're using lxd. Lxd runs as root. You are not starting the > > containers as 'lxduser' - you are making requests as 'lxduser' for > > the root-owned process 'lxd' to start the containers. > > I understood that LXD uses unprivileged containers by default... > > Does this mean that LXD is starting the unprivileged containers as root? yes. It does many things which an unprivileged user cannot do, so it has to run as root. The lxc-attach weakness I mentioned does not apply to 'lxc exec', because lxd interposes a pty between your console and the container's. _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
