Are priviledged less secure then unpreviledged containers

can you say in general that running unprivileged containers (launch ....) is more secure then running privileged (sudo launch ...) ones?

‘insecure’ in my example would be whether a skillful person or attacker could take control of the host or other containers running on that host from within a Container.

practical scenario: a webserver running in an LXC Container get’s hacked from outside.

Can the Hackers break out of the Container and take control over the host OS more easily if the Container is privileged?

If a user manages to get root access to a privileged container, they can reasonably easily gain root on the host. If there is no way for the user to gain root access in the container, then it’s not so bad.

In an unprivileged container, even gaining root access in the container isn’t really a big deal as you’re still an unprivileged user as far as the kernel is concerned. Yes, you do own some kernel resources (namespaces, network devices, …) but those privileges are tied to those devices and can’t be used against the host.


i see, thanks for clarifying.

Taking this into account … is there any use case where you’d want to use a privileged container at all?
For now I’d say: there probably isn’t

I used privileged containers because they are easier to move between machines because of user-id mappings. perhaps there is a way to do it for unprivileged containers that I’m unaware of. (I moved containers by rsyncing /var/lib/lxc/container haven’t done it in the new lxd setup yet).

so, that would be a trade off ‘security’ vs ‘convenience’ in a way, right?

In that case, yes, though if using LXD, “lxc move” will take care of any needed cross-host uid/gid remapping.

As for other reasons why you’d want to use privileged containers rather than unprivileged, well, there are a lot of things that real root can do which an unprivileged root can’t.

A privileged container can be made to mount any filesystem, interact with block devices, load kernel modules, alter system kernel settings, … most of those things can seriously compromise the host and are in fact blocked by our apparmor policy by default. But if you need to do any of those kind of things and still want to use a container, privileged will be the only way.

1 Like