If a rootless container process runs as the root user and can't be switched, is ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

falcolas on March 28, 2017 | parent | context | favorite | on: Rootless containers feature merged into runC

If a rootless container process runs as the root user and can't be switched, is it considered to be "root" as far as the kernel is concerned? As in, does it have access to root-only kernel features (like the root keychain)?

cyphar on March 29, 2017 [–]

No, the kernel knows what it's "real" UID and GID are. It even knows what unmapped UIDs and GIDs are. I haven't tried to access the root keychain inside a rootless container, but if it does work I would consider that to be a vulnerability in the kernel.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact