Greetings, T.C 吳天健! > Its said privileged container is unsecured . For example, if a user in the > container (suppose it's running a service toward the public) hack the system > with some kind of root kit.
This is not specifically correct. The road to compromising the container is rather thorny. Even if container is privileged and the container owner has root access inside the container, gaining any host advantage would be hard if not impossible, unless the host configuration is far from sane. > I am thinking of building a more secure container. The first idea is to > use unprivileged container; Second is apply cgroup to limit viewing of some > sensitive /dev files, and any recommendation? LXD by default is "secure" in sense that even if container is compromised, the effective UID the container user is running from has no rights on the host. > Summary > -use unprivileged container Right. > -cgroup to limit viewing of some /dev files Unnecessary in real-world application. -- With best regards, Andrey Repin Wednesday, May 10, 2017 00:17:31 Sorry for my terrible english... _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
