What makes firefox inside a container launch a new firefox window outside on the host with the UID of the host user? Isn't it weird for an LXC?

Can someone please explain this weird behaviour to me: I have an unpriviliged LXC container with firefox inside. **If firefox is running on the host outside of the container**, /usr/bin/firefox inside the container launches a new firefox window **outside** on the host with the UID of the host user. **If firefox is NOT running outside of the container**, /usr/bin/firefox inside the container launches firefox with the (SUB)UID of the container user like it should be. The reverse is also true: If firefox is running inside the container (but not on the host), and firefox is started on the host, the firefox which is started has the UID of the container user. ?!?! How is that ?!?! EDIT: Confirmed that the same issue emerges when using a default unprivileged Ubuntu container with default configuration file. EDIT: asked the same question in the arch forums https://bbs.archlinux.org/viewtopic.php?pid=1622174#p1622174 config file: lxc.devttydir = lxc lxc.pts = 1024 lxc.tty = 4 lxc.cap.drop = mac_admin mac_override sys_time sys_module lxc.pivotdir = lxc_putold lxc.hook.clone = /usr/share/lxc/hooks/clonehostname lxc.cgroup.devices.deny = a lxc.cgroup.devices.allow = c *:* m lxc.cgroup.devices.allow = b *:* m lxc.cgroup.devices.allow = c 1:3 rwm lxc.cgroup.devices.allow = c 1:5 rwm lxc.cgroup.devices.allow = c 1:7 rwm lxc.cgroup.devices.allow = c 5:0 rwm lxc.cgroup.devices.allow = c 5:1 rwm lxc.cgroup.devices.allow = c 5:2 rwm lxc.cgroup.devices.allow = c 1:8 rwm lxc.cgroup.devices.allow = c 1:9 rwm lxc.cgroup.devices.allow = c 136:* rwm lxc.cgroup.devices.allow = c 10:229 rwm lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 lxc.seccomp = /usr/share/lxc/config/common.seccomp lxc.hook.mount = /usr/share/lxcfs/lxc.mount.hook lxc.hook.post-stop = /usr/share/lxcfs/lxc.reboot.hook lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0 lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0 lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0 lxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir,optional 0 0 lxc.cgroup.devices.allow = c 254:0 rm lxc.cgroup.devices.allow = c 10:200 rwm lxc.cgroup.devices.allow = c 10:228 rwm lxc.cgroup.devices.allow = c 10:232 rwm lxc.cgroup.devices.deny = lxc.cgroup.devices.allow = lxc.devttydir = lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0 lxc.arch = x86_64 lxc.cgroup.devices.allow = c 226:* rwm lxc.mount.entry = tmpfs tmp tmpfs defaults lxc.mount.entry = /dev/dri dev/dri none bind,optional,create=dir lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none ro,bind,create=dir 0 0 The container is started like this: lxc-start -n c1 -F -f /path/to/above/conf -s 'lxc.id_map = u 0 100000 65536' -s 'lxc.id_map = g 0 100000 65536' -s 'lxc.rootfs = /path/to/rootfs' -s 'lxc.init_cmd = /usr/bin/bash' EDIT: Distribution Arch Linux $ uname -r 4.6.0-rc4-customGIT+ # lxc-checkconfig --- Namespaces --- Namespaces: enabled Utsname namespace: enabled Ipc namespace: enabled Pid namespace: enabled User namespace: enabled Network namespace: enabled Multiple /dev/pts instances: enabled --- Control groups --- Cgroup: enabled Cgroup clone_children flag: enabled Cgroup device: enabled Cgroup sched: enabled Cgroup cpu account: enabled Cgroup memory controller: enabled Cgroup cpuset: enabled --- Misc --- Veth pair device: enabled Macvlan: enabled Vlan: enabled Bridges: enabled Advanced netfilter: enabled CONFIG_NF_NAT_IPV4: enabled CONFIG_NF_NAT_IPV6: enabled CONFIG_IP_NF_TARGET_MASQUERADE: enabled CONFIG_IP6_NF_TARGET_MASQUERADE: enabled CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled FUSE (for use with lxcfs): enabled --- Checkpoint/Restore --- checkpoint restore: enabled CONFIG_FHANDLE: enabled CONFIG_EVENTFD: enabled CONFIG_EPOLL: enabled CONFIG_UNIX_DIAG: enabled CONFIG_INET_DIAG: enabled CONFIG_PACKET_DIAG: enabled CONFIG_NETLINK_DIAG: enabled File capabilities: enabled