[lxc-devel] [critical] "Default" configuration may destroy host system

Daniel Lezcano daniel.lezcano at free.fr
Tue Nov 24 21:28:24 UTC 2009


Andrian Nord wrote:
> If you're running (by mistake or typo) (via lxc-start) container that does not
> exists it will run with lxc.rootfs=/, meaning that /sbin/init will
> restart initialization procedure, efficiently messing host's system,
> that may lead to unpredictable results or even destroy (make inaccessible) host
> system (by reseting network configuration or something like that).
>
> (Actually, it _did_ destroy system of everyone who tested this).
>   
bad :)

If the lxc-start was able to exec the /sbin/init and this one has enough 
privilege to setup the network, that means it has been run as root. This 
is an example of a bad usage of the command, like root does "rm -rf 
/usr" for example.
But in the other hand, lxc-start -n foo, runs /sbin/init implicitly, so 
I am hesitating to say "root should know what it does".
> Actually, I finally lost any meaning of having such a feature for
> full-system containers. You may not use hosts's FS - it's described at
> above. You may not use some temporary directory - that's nonsense.
>
> This patch forbinds starting container via lxc-start without rcfile and
> custom start program, but probably it fixes only small part of problem.
>   
Yeah, maybe it would be preferable to move the "rcfile" parsing from the 
lxc_start function to the caller and pass the "struct lxc_conf" to 
lxc_start. So we have the lxc_conf structure in lxc_start and we can do 
all the sanity check before calling lxc_start, no ?

> I really don't see much sense in such a feature without ability of
> overriding 'default' setting with command line switches. 
I am not sure to understand what you mean by overriding 'default setting 
with command line switches'.
Can you elaborate a bit with an example ?
> Anyway, default
> behaviour should be as save as possible.
>
> Signed-off-by: Andrian Nord <NightNord at gmail.com>
>
> diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c
> index cf87abf..b8a8ec6 100644
> --- a/src/lxc/lxc_start.c
> +++ b/src/lxc/lxc_start.c
> @@ -161,6 +161,11 @@ int main(int argc, char *argv[])
>  		}
>  	}
>  
> +	if (!rcfile && !my_args.argc) {
> +		ERROR("no configuration file for full-system container");
> +		return err;
> +	}
> +
>  	if (my_args.daemonize) {
>  
>                  /* do not chdir as we want to open the log file,
>   
Do you mind if I move the rcfile parsing before calling lxc_start and 
then we discuss about the sanity checks in lxc_start ?

Thanks for pointing this problem, I feel 0.6.4 will have a very short 
life period :)




More information about the lxc-devel mailing list