Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Docker Universe: mapping of container's root to other UID/GID?

Date: Thu, 10 Mar 2016 08:44:24 -0600
From: Greg Thain <gthain@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] Docker Universe: mapping of container's root to other UID/GID?

On 03/10/2016 06:53 AM, Thomas Hartmann wrote:

Hi all,

I stumbled over [1] and am wondering, if it would make sense to map at
least root to another UID/GID - assuming it would reduce(?) the risks by
some hypothetical exploit allowing root to escape a container?


Thomas:

Note that HTCondor will never start a docker container (or any otherjob, in any other universe, for that matter) as root.

I think that going forward, if we wanted to map uids, we'd use the newusername feature of Docker when that is widely available.


-greg

References:
- [HTCondor-users] Docker Universe: mapping of container's root to other UID/GID?
  - From: Thomas Hartmann

Prev by Date: [HTCondor-users] Docker Universe: mapping of container's root to other UID/GID?
Next by Date: [HTCondor-users] submitted jobs are not running
Previous by thread: [HTCondor-users] Docker Universe: mapping of container's root to other UID/GID?
Next by thread: [HTCondor-users] submitted jobs are not running
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

Re: [HTCondor-users] Docker Universe: mapping of container's root to other UID/GID?