Unprivileged LXC with uid mapping - what does it mean?

[zuluromeo]

Hello,

I managed to follow the directions at https://pve.proxmox.com/wiki/Unprivileged_LXC_containers (and a forum post on here) and get a LXC read/write access to a NFS mountpoint from my host. However, I was wondering what security issues this brings up as I am trying to avoid using a privileged container.

The UID and GID I added to the container are ones that are not in use on the host. Does this protect my host to any issues if my LXC is compromised?

Thank you.

 

[BobhWasatch]

NFS without Kerberos trusts the user ID provided by the client. So it is really only as secure as the clients. NFS v4 with Kerberos mitigates this at the cost of quite a bit of complexity in configuration. A solution like FreeIPA from RedHat help a lot with that.

 

[zuluromeo]

I just edited my post to add "not":

The UID and GID I added to the container are ones that are not in use on the host.

It sounds like you are saying that using NFS in a container that is less than v4 is not as secure. In my case, the NFS storage is only accessible by an local bridge within the host.

I am trying to share folders from an unraid VM to plex and other services. I trying to avoid having to create a VM for each service just so I can use NFS. The best way I can see doing this is the mount the NFS on the host and mount the folders in the container.

I know this is a dangerous question, but is it "secure enough"?

 

[BobhWasatch]

It doesn't matter container or not, NFS without Kerberos trusts the client machines. A root compromise on a client would allow impersonating any other user and reading or writing his files.

If you are only sharing within your private network and you trust your users and have set up sharing to only specific machines or only read-only, then that is likely "good enough" for your use case. It would not be good enough if you have potentially hostile users on the client machines. For instance if they were exposed to the Internet or you had users you don't completely trust like in a corporate environment.