Isolation of container user and global user needed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxc (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
When creating a new container, and creating a new user within the container, if the new user has the same id and gid as a global user, the processes created within the container are owned by that global user.
This causes unexpected ownership of container processes by users of the global zone, which shouldn't happen. Processes spawned from a container zone should be isolated from the global zone users.
Ubuntu Release:
root@lxc:~# lsb_release -rd
Description: Ubuntu Xenial Xerus (development branch)
Release: 16.04
Package Version:
root@lxc:~# apt-cache policy lxc
lxc:
Installed: 2.0.0~rc15-0ubuntu1
Candidate: 2.0.0-0ubuntu1
Version table:
2.0.0-0ubuntu1 500
500 http://
500 http://
*** 2.0.0~rc15-0ubuntu1 100
100 /var/lib/
That's what unprivileged containers are for.