[lxc-devel] bugs with LXC container : mount and rmmod command

Elias Olivares eolivares at 1g6.biz
Thu Mar 4 16:05:43 UTC 2010 

Hi ! 

I've tried to reproduce this bug on 0.6.5 lxc release and the same bug appears when i run the umount command or rmmod command. 

To reproduce the bug : 

Host name : debian 
Guest container name : container 

You MUST create a dedicated partition to share your containers (an other partition than " / ") 

debian:# df 

/dev/hda1 7850996 2058732 5393452 28% / 
tmpfs 253768 0 253768 0% /lib/init/rw 
udev 10240 108 10132 2% /dev 
tmpfs 253768 0 253768 0% /dev/shm 
/dev/hdb1 4127076 552552 3364880 15% /mnt/vmr1 

Then enter into the container (lxc-console -n container) and stop cron, syslog, bind 9,ssh processes. 

container:~# ps aux 

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND 
root 1 0.0 0.1 1984 692 ? Ss 11:10 0:00 init [2] 
root 387 0.0 0.4 5884 2272 console Ss 11:10 0:00 /bin/login -- 
root 388 0.0 0.1 1992 572 tty1 Ss+ 11:10 0:00 /sbin/getty 38400 tty1 
root 389 0.0 0.1 1992 568 tty2 Ss+ 11:10 0:00 /sbin/getty 38400 tty2 
root 390 0.0 0.1 1992 568 tty3 Ss+ 11:10 0:00 /sbin/getty 38400 tty3 
root 392 0.0 0.5 4132 2680 console S 11:11 0:00 -bash 
root 584 0.0 0.1 2644 956 console R+ 11:43 0:00 ps aux 

Then use the mount command : 

container:~# mount -o remount,ro / 

Return to the Host and try to create a file in /mnt/vmr1/ . The folder is set in "read only". 

The second bug : 

Install ntfs module in the host : (exemple with ntfs module) 

debian:# modprobe ntfs 

Enter into the container and delete ntfs module 

container:~# rmmod ntfs 

Return to the host : the module has been removed 



Does anyone have solved this problem ? 

I think it is a major security problem. 


----- Mail Original ----- 
De: "Daniel Lezcano" <daniel.lezcano at free.fr> 
À: "Elias Olivares" <eolivares at 1g6.biz> 
Cc: lxc-devel at lists.sourceforge.net 
Envoyé: Vendredi 8 Janvier 2010 13:14:36 
Objet: Re: [lxc-devel] bugs with LXC container : mount and rmmod command 

Elias Olivares wrote: 
> 
> 
> Hi ! 
> 
> I've found the way to reproduce the bug. 
> 
> Host name : debian 
> Guest container name : container 
> 
> You MUST create a dedicated partition to share your containers (an other partition than " / ") 

Thanks, I will check when I have time. 



> Here the container is created in /mnt/vmr1/ : 
> 
> debian:# df 
> 
> /dev/hda1 7850996 2058732 5393452 28% / 
> tmpfs 253768 0 253768 0% /lib/init/rw 
> udev 10240 108 10132 2% /dev 
> tmpfs 253768 0 253768 0% /dev/shm 
> /dev/hdb1 4127076 552552 3364880 15% /mnt/vmr1 
> 
> Then enter into the container (lxc-console -n container) and stop cron, syslog, bind 9,ssh processes. 
> 
> container:~# ps aux 
> 
> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND 
> root 1 0.0 0.1 1984 692 ? Ss 11:10 0:00 init [2] 
> root 387 0.0 0.4 5884 2272 console Ss 11:10 0:00 /bin/login -- 
> root 388 0.0 0.1 1992 572 tty1 Ss+ 11:10 0:00 /sbin/getty 38400 tty1 
> root 389 0.0 0.1 1992 568 tty2 Ss+ 11:10 0:00 /sbin/getty 38400 tty2 
> root 390 0.0 0.1 1992 568 tty3 Ss+ 11:10 0:00 /sbin/getty 38400 tty3 
> root 392 0.0 0.5 4132 2680 console S 11:11 0:00 -bash 
> root 584 0.0 0.1 2644 956 console R+ 11:43 0:00 ps aux 
> 
> Then use the mount command : 
> 
> container:~# mount -o remount,ro / 
> 
> Return to the Host and try to create a file in /mnt/vmr1/ . The folder is set in "read only". 
> 
> I tried with the 0.6.4 version and I have the same problem. 
> 
> 
> Elias Olivares 
> 
> 
> ----- Mail Original ----- 
> De: "Elias Olivares" <eolivares at 1g6.biz> 
> À: "Daniel Lezcano" <daniel.lezcano at free.fr> 
> Cc: lxc-devel at lists.sourceforge.net 
> Envoyé: Mercredi 6 Janvier 2010 16:05:58 
> Objet: Re: [lxc-devel] bugs with LXC container : mount and rmmod command 
> 
> 
> Ok thanks for this advice. I can't try now but I will try tommorow ... 
> 
> Elias 
> 
> 
> ----- Mail Original ----- 
> De: "Daniel Lezcano" <daniel.lezcano at free.fr> 
> À: "Elias Olivares" <eolivares at 1g6.biz> 
> Cc: lxc-devel at lists.sourceforge.net 
> Envoyé: Mercredi 6 Janvier 2010 13:03:59 
> Objet: Re: [lxc-devel] bugs with LXC container : mount and rmmod command 
> 
> Elias Olivares wrote: 
>> Hi 
>> 
>> 
>> My Lxc configuration file : ( /var/lib/lxc/xxx.1g6.biz /config ) 
>> 
>> lxc.utsname = xxx.1g6.biz 
>> lxc.tty = 4 
>> lxc.pts = 1024 
>> lxc.network.type = veth 
>> lxc.network.flags = up 
>> lxc.network.link = br0 
>> lxc.network.name = eth0 
>> lxc.network.mtu = 1500 
>> #lxc.mount = 
>> lxc.rootfs = /mnt/vmr1/xxx.1g6.biz 
>> lxc.cgroup.devices.deny = a 
>> # /dev/null and zero 
>> lxc.cgroup.devices.allow = c 1:3 rwm 
>> lxc.cgroup.devices.allow = c 1:5 rwm 
>> # consoles 
>> lxc.cgroup.devices.allow = c 5:1 rwm 
>> lxc.cgroup.devices.allow = c 5:0 rwm 
>> lxc.cgroup.devices.allow = c 4:0 rwm 
>> lxc.cgroup.devices.allow = c 4:1 rwm 
>> # /dev/{,u}random 
>> lxc.cgroup.devices.allow = c 1:9 rwm 
>> lxc.cgroup.devices.allow = c 1:8 rwm 
>> lxc.cgroup.devices.allow = c 136:* rwm 
>> lxc.cgroup.devices.allow = c 5:2 rwm 
>> # rtc 
>> lxc.cgroup.devices.allow = c 254:0 rwm 
>> 
>> # lxc-version 
>> lxc version: 0.6.3 
> 
> There were some modifications with how the rootfs is mounted. 
> 
> Can you check against the 0.6.4 version ? 
> 
> wget http://lxc.sourceforge.net/download/lxc/lxc-0.6.4.tar.gz 
> tar xvzf lxc-0.6.4.tar.gz 
> cd lxc-0.6.4 
> ./configure --localstate=/var --prefix=/usr --libdir=/usr/lib64 (if you 
> are on a x86_64 arch). 
> make && sudo make install 
> 
> Or may be you can try with the latest git repository: 
> 
> git-clone git://lxc.git.sourceforge.net/gitroot/lxc/lxc 
> cd lxc 
> ./autogen.sh 
> ./configure --localstate=/var --prefix=/usr --libdir=/usr/lib64 (if you 
> are on a x86_64 arch). 
> make && sudo make install 
> 
> ------------------------------------------------------------------------------ 
> This SF.Net email is sponsored by the Verizon Developer Community 
> Take advantage of Verizon's best-in-class app development support 
> A streamlined, 14 day to market process makes app distribution fast and easy 
> Join now and get one step closer to millions of Verizon customers 
> http://p.sf.net/sfu/verizon-dev2dev 
> _______________________________________________ 
> Lxc-devel mailing list 
> Lxc-devel at lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/lxc-devel 
> 
> 
> 
> ------------------------------------------------------------------------ 
> 
> ------------------------------------------------------------------------------ 
> This SF.Net email is sponsored by the Verizon Developer Community 
> Take advantage of Verizon's best-in-class app development support 
> A streamlined, 14 day to market process makes app distribution fast and easy 
> Join now and get one step closer to millions of Verizon customers 
> http://p.sf.net/sfu/verizon-dev2dev 
> 
> 
> ------------------------------------------------------------------------ 
> 
> _______________________________________________ 
> Lxc-devel mailing list 
> Lxc-devel at lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/lxc-devel 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20100304/26fc9b48/attachment.html>

More information about the lxc-devel mailing list