[PVE-User] UIDs > 65535 not valid in container

Frank Thommen f.thommen at dkfz-heidelberg.de
Tue Mar 17 09:15:34 CET 2020


Dear all,

On 13.03.20 14:13, Frank Thommen wrote:
> On 3/12/20 7:58 PM, Frank Thommen wrote:
>> On 3/12/20 5:57 PM, Dietmar Maurer wrote:
>>>> I fear
>>>> this might be a container-related issue but I don't understand it and I
>>>> don't know if there is a solution or a workaround.
>>>>
>>>> Any help or hint is highly appreciated
>>>
>>> Yes, we only map 65535 IDs for a single container. We cannot allow
>>> the full range for security reasons.
>>
>> What is the security related impact of higher UIDs?  This is kind of a 
>> showstopper for us, as we planned several such minimal services which 
>> all need to be able to map all existing UIDs in the AD.
>>
>> The idea was to move them away from heavy full VMs to more lightweight 
>> containers.
> 
> Or the other way round: What are the risks if we change the hardcoded 
> limits in /usr/share/perl5/PVE/LXC.pm? (apart from the fact, that we 
> will have to port the changes after each update and upgrade)

Does anyone have an assessment of the risk we would run?  I still don't 
understand the security implications of the mapping of higher UIDs. 
However this is quickly becoming a major issue for us.

Cheers
Frank


More information about the pve-user mailing list