On June 29, 2018 7:47 AM, Fiedler Roman <[email protected]> wrote:
> I am not sure, if this is the reason for your problem but special files and > SUID > binaries can be quite dangerous. Therefore quite strict access limitations > might Yes... I agree, that is true. This is just for my own use. Anyway it still seems weird to me that calling into the lxc API would need write permissions to /proc/self/cgroup controllers, when it shouldn't write those (I think?), but instead should want to write to /proc/<pid-for-container-something>/cgroup controllers. Without that requirement, I believe what I'm doing would work. I have encapsulated my non-priv containers under a dedicated user, so if something escapes container, it will not see my normal user data. Then I added my normal user to the container user's group. This works: I can "sudo containeruser lxc-something" from my normal user and manage the containers via command line. It's only if I have code which setuid() to get to the same container uid, then I have trouble. _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
