LXC Bind Mounts: everything runs as root?

Giovanni

Renowned Member
Apr 1, 2009
108
10
83
When mounting a zvol directory, do all actions taken inside the container show up as executed by root by default?

I'm testing and that is what I noticed, now I am not too familiar with the new LXC/container lingo when it comes to "ACL" on the creation screen, I did not select it. I'm migrating from FreeBSD zones which locked down this in the past and everything ran as a set uid.

container config:
Code:
root@pve:/etc/pve/nodes/pve/lxc# cat 102.conf
arch: amd64
cores: 1
hostname: mount-test
memory: 512
mp0: /gdata/music/,mp=/mnt/music
net0: name=eth0,bridge=vmbr0,hwaddr=8E:6B:E5:C5:7D:2E,ip=dhcp,type=veth
ostype: ubuntu
rootfs: gdata-zfs:subvol-102-disk-1,size=8G
swap: 512
unused0: gdata-zfs:subvol-102-disk-2

On the container:
Code:
root@mount-test:/mnt/music/zb9999# ls -lah
total 50K
drwxr-xr-x   3 root root   3 Jun 11 21:59 .
drwxrwxr-x 311 1001  816 322 Jun 11 21:58 ..
drwxr-xr-x   2 root root   2 Jun 11 21:59 titti

From the host node:
Code:
root@pve:/gdata/music# ls -lah zb9999/
total 50K
drwxr-xr-x   3 root root   3 Jun 11 14:59 .
drwxrwxr-x 311 1001  816 322 Jun 11 14:58 ..
drwxr-xr-x   2 root root   2 Jun 11 14:59 titti
root@pve:/gdata/music# ls -lah Zombie\ Nation/
total 50K
drwxrwxr-x   3 1001 816   3 Oct  6  2014 .
drwxrwxr-x 311 1001 816 322 Jun 11 14:58 ..
drwxrwxr-x   2 1001 816   2 Oct  6  2014 Kernkraft 400 [Radikal CD_12_]

As you can see, in the host node the zfs recorded the new folder 'zb9999' and its children as created by root.... in a copy from my zone you can see the uid=1001 (it shows the number since it doesn't exist in the container).

- I'm curious this is working as intended?
- What is the "ACL" toggle do on both creating "Mount points" and creating the container itself?
- Do I see the above behavior because my container is running in privileged mode? reference
- How much of a security risk is this? If I toggle read-only on the mp0 is it respected or possible security risk?

Thanks
 
To follow up on the actual questions:
- I'm curious this is working as intended?
Yes.
- What is the "ACL" toggle do on both creating "Mount points" and creating the container itself?
Toggles support for access control lists (setfacl commands & friends on file systems which support them)
- Do I see the above behavior because my container is running in privileged mode?
Yes.
- How much of a security risk is this? If I toggle read-only on the mp0 is it respected or possible security risk?
The read-only flag should usually be honored. But yes, when using real root there's always a chance someone finds a way out as the involved mechanisms are quite complex. My personal recommendation is to stick to unprivileged containers unless you have a good reason to use privileged ones.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!