Unprivileged LXC Container - Work as root or not?

M

miracuru

New Member
Jan 7, 2024
15
3
3
Hi

I have running a few LXC Containers in my homelab. I'm not sure, what's the best practice or concept, regarding this containers.
Is it advised to create a separate user for services like pi-hole, grafana, prometheus, nextcloud and so on?
Or can I just install the services under the root account in the container, as the LXC containers are unprivileged anyways?
Or is this still a bad idea, and I should create extra users within a container, for running this services?

Best regards
Simon
 
I still would create additional users so a compromized service won't affect other services. Lets say you run a mailserver and a plex in that LXC and plex got a vulnerability. Bad enough that someone else might watch your movies. But still good if plex is running as its own user, so the attacker can't read your mails as well.
 
  • Like
Reactions: gfngfn256
While I agree with Dunuin (and like his humorous example), what I tend to do is segregate every service in its own LXC, I believe this is a safer, more granular approach than just loading up an LXC chocked with running services. I also believe, that excepting for disk space, its also not more resource hungry than loading numerous services together in one LXC. (Some are probably going to argue about RAM - I disagree).

An LXC is not a full blown OS. I've got VMs for that.

I agree, that sometimes, more than one service is required in an LXC, but then they are usually so "tied together" that Dunuin's argument is probably no longer valid.

I don't need to add, that not needing to bother with additional users in an LXC, is so much less of a headache.

I agree, that doesn't mean its sometimes not necessary. (Also for some services on their own, you need another user anyway).
 
  • Like
Reactions: Dunuin
gfngfn256 said:
While I agree with Dunuin (and like his humorous example), what I tend to do is segregate every service in its own LXC, I believe this is a safer, more granular approach than just loading up an LXC chocked with running services. I also believe, that excepting for disk space, its also not more resource hungry than loading numerous services together in one LXC. (Some are probably going to argue about RAM - I disagree).

An LXC is not a full blown OS. I've got VMs for that.

I agree, that sometimes, more than one service is required in an LXC, but then they are usually so "tied together" that Dunuin's argument is probably no longer valid.

I don't need to add, that not needing to bother with additional users in an LXC, is so much less of a headache.

I agree, that doesn't mean its sometimes not necessary. (Also for some services on their own, you need another user anyway).
Click to expand...
Yep, dedicated LXC for all services that belong together still makes most sense.
But not all people do things that make sense security-wise if there are more lazy ways. Think of all the people running multiple docker containers/stacks in a single LXC managed by portainer, so they could manage all docker containers via a single webUI. I personally would spin up a dedicated VM for each single rootless docker stack. But not that many people are willing to buy more powerful hardware for better isolation/security.
 
Last edited:
  • Like
Reactions: gfngfn256
Hello @Dunuin and @gfngfn256, thank you very much for your kind help.
Okay, I have separated most services on different LXC. Only Prometheus and Grafana runs in the same LXC, as it makes sense to me, as they are related to each other. They are still running all on root, as I was a bit to lazy to create extra users in all the LXC. Maybe I should change that though. Still a bit unsure, if really needed.

I can think of one reason for running a service not as root. When a service has a fulnerability, and the intruder gains root on that specific host, I think it is then easier to do lateral movements or be able to install some backdoors and so on to compromise more system. Would that make sense?
 
miracuru said:
I can think of one reason for running a service not as root. When a service has a fulnerability, and the intruder gains root on that specific host, I think it is then easier to do lateral movements or be able to install some backdoors and so on to compromise more system. Would that make sense?
Click to expand...
Dunuin has already covered this in his post.

What you should be extremely careful of is to not (maybe never) create a privileged LXC. That causes what you refer to as "lateral" to become a whole lot wider!

Summary: ALL YOUR LXCs SHOULD BE UNPRIVILEGED
 
What you should be extremely careful of is to not (maybe never) create a privileged LXC. That causes what you refer to as "lateral" to become a whole lot wider!
Click to expand...
I keep that in mind. I have fortnuately not the need for priviledged containers.
Thanks for your kind help.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back