It is highly suggested on this page: Linux Containers - LXC - Getting started
“So should something go very wrong and an attacker manages to escape the container,
they’ll find themselves with about as many rights as a nobody user.”
What lead to that first word “So”: "That means that uid 0 (root) in the container is actually something like uid 100000 outside the container. "
Wouldn’t that normally suggest that the escape leads to the user that started the container, not a nobody user?
I also tried:
user@user:/$ unshare --user bash
nobody@user:/$ unshare --map-root-user bash
unshare: unshare failed: Operation not permitted
This works though:
user@user:/$ unshare --map-root-user bash
Which makes me think that normally unprivileged container’s can’t be made from nobody users.
Does LXC circumvent this and still make unprivileged container’s from nobody users?
Or is the first quote just false/very loose language?
If it’s true I don’t think I need separate users for all of my containers.