Using sudo for LXD users

LXD
1

Hi there,

I’m using LXD for some time on my machine and it rocks! I’m currently looking for a solution to give ordinary users access to containers via the lxc(1) command. The users should not be allowed to create new containers, re-configure existing containers, etc. Everything that might elevate their rights inside the hypervisor system should be not allowed. I’ve created the following sudo(8) dropin for ‘/etc/sudoers.d/’:

Cmnd_Alias LXC_START = /var/lib/snapd/snap/bin/lxc start *, /usr/bin/lxc start *
Cmnd_Alias LXC_STOP = /var/lib/snapd/snap/bin/lxc stop *, /usr/bin/lxc stop *
Cmnd_Alias LXC_RESTART = /var/lib/snapd/snap/bin/lxc restart *, /usr/bin/lxc restart *
Cmnd_Alias LXC_SNAPSHOT = /var/lib/snapd/snap/bin/lxc snapshot *, /usr/bin/lxc snapshot *
Cmnd_Alias LXC_PAUSE = /var/lib/snapd/snap/bin/lxc pause *, /usr/bin/lxc pause *
Cmnd_Alias LXC_INFO = /var/lib/snapd/snap/bin/lxc info*, /usr/bin/lxc info*
Cmnd_Alias LXC_LIST = /var/lib/snapd/snap/bin/lxc list*, /usr/bin/lxc list*
Cmnd_Alias LXC_EXEC = /var/lib/snapd/snap/bin/lxc exec *, /usr/bin/lxc exec *
Cmnd_Alias LXC_FILE = /var/lib/snapd/snap/bin/lxc file push, /usr/bin/lxc file push *

%lxd-user ALL = NOPASSWD: LXC_START, LXC_STOP, LXC_RESTART, LXC_SNAPSHOT, LXC_PAUSE, LXC_INFO, LXC_LIST, LXC_EXEC, LXC_FILE

Is this sufficient restrictive or am I missing something here?

2

There are two articles on how to get root if you have access to the LXD socket, creating privileged containers and creating a proxy device.
Your set of commands should protect on these two.

The other way is to use Candid authentication as described in https://linuxcontainers.org/lxd/docs/master/security
I do not know how fine-grained would that solution be, compared to using sudo.

3

After playing around with it a little bit, it seems that the solution provided above allows to push files to containers, that should be kept secret (e.g. /etc/shadow or /etc/ssh/sshd_host_ecdsa.key). The LXC_PUSH command should be omitted therfore.

Unfortunately the candid setup described here: https://ubuntu.com/tutorials/candid-authentication-lxd with an additional LXD container, snap and candid does not fit into my embedded setup.