I’m new to Incus (and LXC containers in general).
I followed the orders shown on the “First Steps with Incus” page at the documentation part, and I have made my first Incus container.
I have created this container using an unprivileged user (this particular user have sudo permissions, but it is NOT a member of the incus-admin
group, it is a member of the just incus
group, as shown in the guide). That container resides at /var/lib/incus/containers/user-1000_first
.
According to the ls
output, it seems like this directory - and all the directories and files inside - are owned by my root user. This is on the host:
# ls -l /var/lib/incus/containers/user-1000_first
lrwxrwxrwx 1 root root 63 2025-04-16 00:20:45 /var/lib/incus/containers/user-1000_first -> /var/lib/incus/storage-pools/default/containers/user-1000_first
# ls -l /var/lib/incus/storage-pools/default/containers/user-1000_first
total 24K
d--x------ 4 1000000 root 4.0K 2025-04-16 00:20:45 ./
drwx--x--x 3 root root 4.0K 2025-04-16 00:20:42 ../
-r-------- 1 root root 3.3K 2025-04-19 10:06:16 backup.yaml
-rw-r--r-- 1 root root 526 2025-04-15 10:49:42 metadata.yaml
drwxr-xr-x 17 root root 4.0K 2025-04-15 10:49:42 rootfs/
drwxr-xr-x 2 root root 4.0K 2025-04-15 10:49:42 templates/
# ls -l /var/lib/incus/storage-pools/default/containers/user-1000_first/rootfs/ [1/128]
total 68K
drwxr-xr-x 17 root root 4.0K 2025-04-15 10:49:42 ./
d--x------ 4 root root 4.0K 2025-04-16 00:20:45 ../
lrwxrwxrwx 1 root root 7 2025-04-15 10:43:23 bin -> usr/bin/
drwxr-xr-x 2 root root 4.0K 2022-04-18 13:28:59 boot/
drwxr-xr-x 2 root root 4.0K 2025-04-15 10:49:42 dev/
drwxr-xr-x 62 root root 4.0K 2025-04-15 10:45:26 etc/
drwxr-xr-x 3 root root 4.0K 2025-04-15 10:44:48 home/
lrwxrwxrwx 1 root root 7 2025-04-15 10:43:23 lib -> usr/lib/
lrwxrwxrwx 1 root root 9 2025-04-15 10:43:23 lib64 -> usr/lib64/
drwxr-xr-x 2 root root 4.0K 2025-04-15 10:43:24 media/
drwxr-xr-x 2 root root 4.0K 2025-04-15 10:43:24 mnt/
drwxr-xr-x 2 root root 4.0K 2025-04-15 10:43:24 opt/
drwxr-xr-x 2 root root 4.0K 2022-04-18 13:28:59 proc/
drwx------ 2 root root 4.0K 2025-04-16 00:23:31 root/
drwxr-xr-x 2 root root 4.0K 2025-04-15 10:45:26 run/
lrwxrwxrwx 1 root root 8 2025-04-15 10:43:23 sbin -> usr/sbin/
drwxr-xr-x 2 root root 4.0K 2025-04-15 10:43:24 srv/
drwxr-xr-x 2 root root 4.0K 2022-04-18 13:28:59 sys/
drwxrwxrwt 7 root root 4.0K 2025-04-19 17:27:09 tmp/
drwxr-xr-x 12 root root 4.0K 2025-04-15 10:43:24 usr/
drwxr-xr-x 12 root root 4.0K 2025-04-15 10:44:17 var/
(I am using root to see this directory on the host because I’m tired using sudo
just to see the ls
output)
So I wonder - I have made a non-privileged incus container, but the permissions on that directory belongs to the root user.
Is that insecure? Could it be dangerous? Is my container REALLY UNPRIVILEGED?
For what it’s worth (if it’s useful), I am using Debian 12, and I have installed Incus using the bookworm-backports
.
Thank you for your responses