podman in production: unpriviliged user vs. --userns=auto

[tobwen]

Based on this discussion, @rhatdan stated that podman run --userns=auto might be a better solution for containers in production launched by podman. For sure, when starting it as a privileged user, you're way more flexible.

But is the isolation in a unique UserNS as secure as running podman from an unprivileged user?

[rhatdan]

It is actually more secure. If you run two containers as a rootless user, they run in the same user namespace so they can attack each other from a User Namespace point of view.

If you run two containers as root with podman run --userns auto, then they run in unigue user namespace and are isolated.

Rootless containers are great for containers run by users on a system, but if you are just running containers on a server, then --userns=auto is a more secure solution. (I plan on writing a blog on this).

[tobwen]

Thank you for your explanation. A blog article on this topic would be excellent.

I know numerous people - and I count myself among them - who assumed that containers started by an unprivileged user would be more secure. This is probably related to the fact that an attacker would not have root access if they broke out of the container. The question is to what extent it is possible to break out of the container at all.

[rhatdan]

None of the process that run with --userns=auto are running as root and none have any host linux capabiltiies, only User Namespaced capabilities.

[Luap99]

Well I can still run --userns=auto as rootless. I just need to configure more uids manually so I would say --userns=auto is more secure than without it.

[rhatdan]

Yes but you have much smaller number of UIDs available to run containers in this manner.

[tobwen]

Can you please remember to write a short blog post stating that a rootful podman is safer than a rootless podman? I'm really struggling to convince other users of this. Maybe a short notice in the README would be enough?

[Luap99]

Well this sentence is not true. We explicitly talk about --userns auto is more secure. This is a very important difference.
The secure part is that with userns auto all containers run in a different user namespace (different uids on the host). You can achieve the same as rootless user so I wouldn't say rootful is more secure than rootless.

[tobwen]

Sure, --userns auto is mandatory. However, I assumed that there are other security functions in the kernel that could currently only be accessed by root. It is wonderful that this has now been clarified.

[rhatdan]

I have a blog in progress, the problem is it is arguable which is more secure.
$ sudo podman run --userns=auto ... Runs each containers in a separate user namespace where each container is running with different UIDs and almost assuradly does not match any other UIDs on the host. BUT the podman command runs as root which means it pulls images as root. Pulling images as root can be risky, because flaws in the pulling could (have in the past) cause root to write anywhere.
$ podman run ... Runs the container in a single user namespace where it could attack the users homedir and potentially get a users data. Also all containers run in the same user namespace.

[tobwen]

$ podman run ... Runs the container in a single user namespace where it could attack the users homedir and potentially get a users data. Also all containers run in the same user namespace.

Would this also be the case if you run each container under a different user? Or would a different namespace then be assigned?

[rhatdan]

If you run each container under a different user and managed the /etc/subuid and /etc/subgid files to maintain separation, this would be safer, although they could access content in user homedir.

$ podman run --userns=nomap ...

Would solve this problem.

But this is way more complex. You could also setup a Huge /etc/subuid range for a user and then run lots of containers for that user with --userns=auto ... Which is probably the most secure.

[cgwalters]

One thing related to this...what would I think be quite cool is integration with systemd DynamicUser=yes at least for quadlet containers (we'd still need to mount the image as privileged, so doing this would probably require some lower level systemd integration).

[cgwalters]

Yeah, the containers user here is IMO pretty suboptimal. Is something actually intended to create that user today automatically?