Is there any security risk with adding a **root's** public key to the local user's authorized_keys (so root to login as a user non-interactively?)

Background:

I want to try unprivileged lxc containers a try on my small web server (hosting 2-4 users). Since the server is shared among friends, we decided to separate our services from the machine using lightweight containers. We envision that each user will run a host of unprivileged containers for each service of his with an option, that selected services/lxc containers will be started upon system start.

Under normal circumstances, one would simply use setuid and setgid stanza to run lxc containers in context of each user. Unfortunately it doesn't work; I suspect it has something to do with the subuid requirements of the unprivileged containers. Commands such as sudo -u <user> -- lxc-autostart or su -l <user> -c lxc-autostart may not change the subuid properties of the calling entity (which is root in case of upstart).

So far, the only way of calling unprivileged containers from another account I found is by means of ssh <user>@localhost lxc-autostart .

The question rephrased

I can put such invocation on upstart script, but for it to work I need to generate public certificate for root, and ensure that <user> will accept automatic logging from upstarts' root . Is it secure?

The host is 64bit Ubuntu 14.04; it already uses ssh. As for Ubuntu's best practices, there is no password for root and root has empty .ssh/authorized_keys.

No <user> with automatic lxc containers uses ecryptfs (A.K.A. encrypted home), since it would be useless anyway on such setup.