OK, let’s say you’re using LXC containers. Usually, you create them as the root user, and the root user inside the container, is mapped to the root user outside the container.
But here’s the problem: If anything in that container gets exploited (e.g., remote execution vulnerability), and on top of that, the attack somehow manages to gain root access inside the container (this can happen easily if the exploited program is running as root), and, again, on top of that, somehow manages to escape the container, well, if these many things have gone wrong, the attacker will have root on the host.
So, instead, we can map the root user inside the container to a “random” user ID on the host, such that if the container is escaped, the attacker will have similar permissions as the user “nobody”, rather than root.
First, check the contents of
/etc/subgid and look for a line starting with root. If there is no entry, we have to create them:
usermod --add-subuids 1000000-1000999999 root usermod --add-subgids 1000000-1000999999 root
Now check the contents of the files again:
# cat /etc/subuid root:1000000:1000000000 # cat /etc/subgid root:1000000:1000000000
As you can see, root now has the range 1000000:1000000000, take note of that range!
/etc/lxc/default.conf and add those ranges:
# nano /etc/lxc/default.conf lxc.idmap = u 0 1000000 1000000000 lxc.idmap = g 0 1000000 1000000000
However! Containers will fail to start unless you run this as root first:
chmod +x /var/lib/lxc
That’s because containers would otherwise no longer have access since they’re running without root rights.
Now, every new container created, will have the root user mapped to one of those user IDs on the host. You can sleep slightly more relaxed now!