Mailing List Archives Authenticated access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] Docker Universe: mapping of container's root to other UID/GID?

Date: Thu, 10 Mar 2016 13:53:41 +0100
From: Thomas Hartmann <thomas.hartmann@xxxxxxx>
Subject: [HTCondor-users] Docker Universe: mapping of container's root to other UID/GID?

Hi all,

is there actually a knob for the Docker universe to map UIDs/GIDs in an
container onto another range on the host?

I stumbled over [1] and am wondering, if it would make sense to map at
least root to another UID/GID - assuming it would reduce(?) the risks by
some hypothetical exploit allowing root to escape a container?

Cheers,
  Thomas

[1]
http://linux-audit.com/docker-security-best-practices-for-your-vessel-and-containers/

~~> docker run -lxc-conf=âlxc.id_map = u 0 100000 65536â
-lxc-conf=âlxc.id_map = g 0 100000 65536

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- Re: [HTCondor-users] Docker Universe: mapping of container's root to other UID/GID?
  - From: Greg Thain

Prev by Date: [HTCondor-users] HTCondor helps LIGO confirm last unproven Albert Einstein theory
Next by Date: Re: [HTCondor-users] Docker Universe: mapping of container's root to other UID/GID?
Previous by thread: [HTCondor-users] HTCondor helps LIGO confirm last unproven Albert Einstein theory
Next by thread: Re: [HTCondor-users] Docker Universe: mapping of container's root to other UID/GID?
Index(es):
- Date
- Thread

Mailing List Archives

Authenticated access

[HTCondor-users] Docker Universe: mapping of container's root to other UID/GID?