[PVE-User] UIDs > 65535 not valid in container
Frank Thommen
f.thommen at dkfz-heidelberg.de
Tue Mar 17 09:15:34 CET 2020
Dear all,
On 13.03.20 14:13, Frank Thommen wrote:
> On 3/12/20 7:58 PM, Frank Thommen wrote:
>> On 3/12/20 5:57 PM, Dietmar Maurer wrote:
>>>> I fear
>>>> this might be a container-related issue but I don't understand it and I
>>>> don't know if there is a solution or a workaround.
>>>>
>>>> Any help or hint is highly appreciated
>>>
>>> Yes, we only map 65535 IDs for a single container. We cannot allow
>>> the full range for security reasons.
>>
>> What is the security related impact of higher UIDs? This is kind of a
>> showstopper for us, as we planned several such minimal services which
>> all need to be able to map all existing UIDs in the AD.
>>
>> The idea was to move them away from heavy full VMs to more lightweight
>> containers.
>
> Or the other way round: What are the risks if we change the hardcoded
> limits in /usr/share/perl5/PVE/LXC.pm? (apart from the fact, that we
> will have to port the changes after each update and upgrade)
Does anyone have an assessment of the risk we would run? I still don't
understand the security implications of the mapping of higher UIDs.
However this is quickly becoming a major issue for us.
Cheers
Frank
More information about the pve-user
mailing list