I’ve set up UID/GID remapping in order to share a disk with the host and this works wonderfully. However, I noticed that my processes are also UID-remapped.
For instance, with the following enabled for my container:
security.idmap.isolated: true raw.idmap: |- uid 1000 1000 gid 1000 1000
I will get the following processes on my host:
My concern is about the last process. In my understanding, the UID remapping was only for disk access, but it seems the full process is UID-remapped?
Does it mean that if someone breaks out of the container they will have access to the host as the 1000 user? Does not this defeat the goal of UID-shifting?
I’m a bit confused if I understand well the consequences of remapping an UID. Can you confirm if my hypothesis above are correct?
In case they are correct, what are my solutions to share disks with the host and still keep and the UID-shift intact?
shiftfs, but is it a viable solution? I didn’t see much documentation about it and this looks relatively new.
Is there any other solution (other than some UID/ACL hacking on the host) ?