LXC Bind Mounts: everything runs as root?

[Giovanni]

When mounting a zvol directory, do all actions taken inside the container show up as executed by root by default?

I'm testing and that is what I noticed, now I am not too familiar with the new LXC/container lingo when it comes to "ACL" on the creation screen, I did not select it. I'm migrating from FreeBSD zones which locked down this in the past and everything ran as a set uid.

container config:

root@pve:/etc/pve/nodes/pve/lxc# cat 102.conf
arch: amd64
cores: 1
hostname: mount-test
memory: 512
mp0: /gdata/music/,mp=/mnt/music
net0: name=eth0,bridge=vmbr0,hwaddr=8E:6B:E5:C5:7D:2E,ip=dhcp,type=veth
ostype: ubuntu
rootfs: gdata-zfs:subvol-102-disk-1,size=8G
swap: 512
unused0: gdata-zfs:subvol-102-disk-2

On the container:

root@mount-test:/mnt/music/zb9999# ls -lah
total 50K
drwxr-xr-x   3 root root   3 Jun 11 21:59 .
drwxrwxr-x 311 1001  816 322 Jun 11 21:58 ..
drwxr-xr-x   2 root root   2 Jun 11 21:59 titti

From the host node:

root@pve:/gdata/music# ls -lah zb9999/
total 50K
drwxr-xr-x   3 root root   3 Jun 11 14:59 .
drwxrwxr-x 311 1001  816 322 Jun 11 14:58 ..
drwxr-xr-x   2 root root   2 Jun 11 14:59 titti
root@pve:/gdata/music# ls -lah Zombie\ Nation/
total 50K
drwxrwxr-x   3 1001 816   3 Oct  6  2014 .
drwxrwxr-x 311 1001 816 322 Jun 11 14:58 ..
drwxrwxr-x   2 1001 816   2 Oct  6  2014 Kernkraft 400 [Radikal CD_12_]

As you can see, in the host node the zfs recorded the new folder 'zb9999' and its children as created by root.... in a copy from my zone you can see the uid=1001 (it shows the number since it doesn't exist in the container).

- I'm curious this is working as intended?
- What is the "ACL" toggle do on both creating "Mount points" and creating the container itself?
- Do I see the above behavior because my container is running in privileged mode? reference
- How much of a security risk is this? If I toggle read-only on the mp0 is it respected or possible security risk?

Thanks

 

[wbumiller]

You're probably looking for unprivileged containers[1].

[1] https://pve.proxmox.com/wiki/Unprivileged_LXC_containers

 

[wbumiller]

To follow up on the actual questions:

- I'm curious this is working as intended?

Yes.

- What is the "ACL" toggle do on both creating "Mount points" and creating the container itself?

Toggles support for access control lists (setfacl commands & friends on file systems which support them)

- Do I see the above behavior because my container is running in privileged mode?

Yes.

- How much of a security risk is this? If I toggle read-only on the mp0 is it respected or possible security risk?

The read-only flag should usually be honored. But yes, when using real root there's always a chance someone finds a way out as the involved mechanisms are quite complex. My personal recommendation is to stick to unprivileged containers unless you have a good reason to use privileged ones.