On 11/11/2013 05:15 PM, Saurabh Deochake wrote:> Hi all,
>
> I'm trying to restrict privileges of root user inside the container. I
searched about it and got to know about "idmap" element in domain XML.
>
> I added "idmap" element in my container's XML file:
>
> <idmap>
> <uid start='0' target='1000' count='10'/>
> <gid start='0' target='1000' count='10'/>
> </idmap>
>
> I restarted the container with updated XML file.
>
> When I execute "id" command to know if root user inside the
container has been mapped with an user from host, i still get output uid as 0
>
> # id -u root
> 0
>
Yes, this user are the root user in this container, but actually he is mapped to
a normal user(uid 1000) on host.
this user still has no right to access the files of host's root user or
insmod....
you can try create a file in container, and on host, the owner of this file is
uid=1000.
and on the other side, if a file's owner is uid 1000 on host. in this
container, you will
see the owner of this file is uid 0.
> Am I doing the steps right to check the user namespacing? Please help me
out with this.
>
> Thanks in advance,
>
> Saurabh Deochake.
> NTT DATA OSS Center, Pune, India
>
>
> _______________________________________________
> libvirt-users mailing list
> libvirt-users@redhat.com
> https://www.redhat.com/mailman/listinfo/libvirt-users
>