OK, let’s say you’re using LXC containers. Usually, you create them as the root user, and the root user inside the container, is mapped to the root user outside the container.

But here’s the problem: If anything in that container gets exploited (e.g., remote execution vulnerability), and on top of that, the attack somehow manages to gain root access inside the container (this can happen easily if the exploited program is running as root), and, again, on top of that, somehow manages to escape the container, well, if these many things have gone wrong, the attacker will have root on the host.

So, instead, we can map the root user inside the container to a “random” user ID on the host, such that if the container is escaped, the attacker will have similar permissions as the user “nobody”, rather than root.

First, check the contents of /etc/subuid and /etc/subgid and look for a line starting with root. If there is no entry, we have to create them:

usermod --add-subuids 1000000-1000999999 root
usermod --add-subgids 1000000-1000999999 root

Now check the contents of the files again:

# cat /etc/subuid

# cat /etc/subgid

As you can see, root now has the range 1000000:1000000000, take note of that range!

Now edit /etc/lxc/default.conf and add those ranges:

# nano /etc/lxc/default.conf
lxc.idmap = u 0 1000000 1000000000
lxc.idmap = g 0 1000000 1000000000

However! Containers will fail to start unless you run this as root first:

chmod +x /var/lib/lxc

That’s because containers would otherwise no longer have access since they’re running without root rights.

Now, every new container created, will have the root user mapped to one of those user IDs on the host. You can sleep slightly more relaxed now!