debian/rules and debian/lxc.postinst: set /var/lib/lxc to be perms 700. That prevents unprivileged users from running setuid-root applications. Install that way by default, and for any previous versions, update the permissions. After this version, respect the user's choice. (LP: #1244635)