On Mon, Feb 15, 2016 at 11:56 AM, John Siu <[email protected]> wrote:
> Is there any advantage to use separate subuid and subguid for each > container? > > For example, when multiple unprivileged containers with the same subuid > 100000, ps will show something like the following: > > One cannot tell which process is owned by which container. > > ps -ea -O cgroup:50 > Additionally, using the same subuid, is there any concern about one > container gaining access to the other containers? Or is this not a problem > at all? > > in theory, yes, AFAIK that is a possibility. If somehow a process manage to break out of the container, it might be able to do stuff in the host as an unpriviliged user. I haven't seen any attacks like that on recent systems though. In particular, with apparmor and lxcfs enabled, you should get an additional layer of security. So personally I find it's still acceptable for multiple unpriv containers to share the same subuid. -- Fajar
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
