I think that is correct. Except that it's not the host on which you run 'lxc' which matters, but the one running the lxd daemons. But yes, afaik you can create a container which mounts /dev/sda as a disk device and do what you like.
Quoting [email protected] ([email protected]): > Since LXD is starting the unprivileged containers as root, does that mean > that from a security point of view there is no difference between running the > 'lxc' commands from a user which is member of the 'sudo' group and a user > which is not? > For plain LXC I've understood that it is more secure to run as a user which > is not member of the 'sudo' group. That doesn't seem to be the case to LXD > anymore. Is that correct? > > > -----"lxc-users" <[email protected]> wrote: ----- > To: LXC users mailing-list <[email protected]> > From: Serge Hallyn > Sent by: "lxc-users" > Date: 01/11/2016 23:36 > Subject: Re: [lxc-users] is starting unprivileged containers as root as > secure as running them as any other user? > > Quoting Carlos Alberto Lopez Perez ([email protected]): > > On 11/01/16 23:13, Serge Hallyn wrote: > > > Quoting [email protected] ([email protected]): > > >> Hmm, this is interesting. > > >> I am runnung my container from the unprivileged user 'lxduser' and yet: > > >> > > >> root@qumind:~# ps -ef | grep '[l]xc monitor' > > >> root 7609 1 0 11:54 ? 00:00:00 [lxc monitor] > > >> /var/lib/lxd/containers pgroonga > > >> > > >> What is wrong here? > > > > > > You're using lxd. Lxd runs as root. You are not starting the > > > containers as 'lxduser' - you are making requests as 'lxduser' for > > > the root-owned process 'lxd' to start the containers. > > > > I understood that LXD uses unprivileged containers by default... > > > > Does this mean that LXD is starting the unprivileged containers as root? > > yes. It does many things which an unprivileged user cannot do, so it has > to run as root. > > The lxc-attach weakness I mentioned does not apply to 'lxc exec', because > lxd interposes a pty between your console and the container's. > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
