Unprivileged LXC with uid mapping - what does it mean?

Z

zuluromeo

Active Member
May 12, 2019
12
0
41
35
Hello,

I managed to follow the directions at https://pve.proxmox.com/wiki/Unprivileged_LXC_containers (and a forum post on here) and get a LXC read/write access to a NFS mountpoint from my host. However, I was wondering what security issues this brings up as I am trying to avoid using a privileged container.

The UID and GID I added to the container are ones that are not in use on the host. Does this protect my host to any issues if my LXC is compromised?

Thank you.
 
Last edited:
I just edited my post to add "not":

The UID and GID I added to the container are ones that are not in use on the host.
Click to expand...

It sounds like you are saying that using NFS in a container that is less than v4 is not as secure. In my case, the NFS storage is only accessible by an local bridge within the host.

I am trying to share folders from an unraid VM to plex and other services. I trying to avoid having to create a VM for each service just so I can use NFS. The best way I can see doing this is the mount the NFS on the host and mount the folders in the container.

I know this is a dangerous question, but is it "secure enough"?
 
It doesn't matter container or not, NFS without Kerberos trusts the client machines. A root compromise on a client would allow impersonating any other user and reading or writing his files.

If you are only sharing within your private network and you trust your users and have set up sharing to only specific machines or only read-only, then that is likely "good enough" for your use case. It would not be good enough if you have potentially hostile users on the client machines. For instance if they were exposed to the Internet or you had users you don't completely trust like in a corporate environment.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back