On 2/6/2011 3:56 PM, John Drescher wrote: >> Is this important if, say, a malicious user has access to a container? >> Or, can a container be configured such that they could do little harm? > > You can easily make a container have its own filesystem and no access > to the host's filesystem or devices. Is that what you are getting at? >
Say we have a process P, which accepts an input file from the user. Further, suppose that P allows access to the command line -- and so a user can potentially execute any command in the container. To prevent malicious use, one option is to parse the input -- but running P in a container with minimal resources seems a much better option. I am trying to put a proof-of-concept together, and the root vs. normal user issue seemed relevant. Perhaps a better question would have been, what is the practical difference between the container running as a root user and a normal user? ------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
