Using sudo for LXD users

Hi there,

I’m using LXD for some time on my machine and it rocks! I’m currently looking for a solution to give ordinary users access to containers via the lxc(1) command. The users should not be allowed to create new containers, re-configure existing containers, etc. Everything that might elevate their rights inside the hypervisor system should be not allowed. I’ve created the following sudo(8) dropin for ‘/etc/sudoers.d/’:

Cmnd_Alias LXC_START = /var/lib/snapd/snap/bin/lxc start *, /usr/bin/lxc start *
Cmnd_Alias LXC_STOP = /var/lib/snapd/snap/bin/lxc stop *, /usr/bin/lxc stop *
Cmnd_Alias LXC_RESTART = /var/lib/snapd/snap/bin/lxc restart *, /usr/bin/lxc restart *
Cmnd_Alias LXC_SNAPSHOT = /var/lib/snapd/snap/bin/lxc snapshot *, /usr/bin/lxc snapshot *
Cmnd_Alias LXC_PAUSE = /var/lib/snapd/snap/bin/lxc pause *, /usr/bin/lxc pause *
Cmnd_Alias LXC_INFO = /var/lib/snapd/snap/bin/lxc info*, /usr/bin/lxc info*
Cmnd_Alias LXC_LIST = /var/lib/snapd/snap/bin/lxc list*, /usr/bin/lxc list*
Cmnd_Alias LXC_EXEC = /var/lib/snapd/snap/bin/lxc exec *, /usr/bin/lxc exec *
Cmnd_Alias LXC_FILE = /var/lib/snapd/snap/bin/lxc file push, /usr/bin/lxc file push *


Is this sufficient restrictive or am I missing something here?

There are two articles on how to get root if you have access to the LXD socket, creating privileged containers and creating a proxy device.
Your set of commands should protect on these two.

The other way is to use Candid authentication as described in
I do not know how fine-grained would that solution be, compared to using sudo.

After playing around with it a little bit, it seems that the solution provided above allows to push files to containers, that should be kept secret (e.g. /etc/shadow or /etc/ssh/sshd_host_ecdsa.key). The LXC_PUSH command should be omitted therfore.

Unfortunately the candid setup described here: with an additional LXD container, snap and candid does not fit into my embedded setup.