[Lxc-users] dropping capabilities
Daniel Lezcano
daniel.lezcano at free.fr
Mon Oct 4 19:51:39 UTC 2010
On 10/04/2010 06:18 PM, richard -rw- weinberger wrote:
> On Sun, Oct 3, 2010 at 9:01 PM, richard -rw- weinberger
> <richard.weinberger at gmail.com> wrote:
>
>> I'm using lxc to run a few virtual private servers.
>> What capabilities are harmful and should be dropped using "lxc.cap.drop"?
>>
> Is my question too trivial or too stupid? ;)
>
hum, not trivial at all :)
I am not sure there is a default set of capabilities to be dropped.
Certainly some should be dropped like CAP_SYS_MODULE but others will
depend on what the user expect to do with the container and what scripts
will be run inside the container.
We have certainly think about the root user inside a container, is it
secure ? IMO, until the user namespace is not complete, it is not secure.
> Here what i know so far:
>
> CAP_AUDIT_CONTROL:
> should be dropped
> CAP_AUDIT_WRITE:
> should be dropped
> CAP_CHOWN:
> is ok
> CAP_DAC_OVERRIDE:
> is ok
> CAP_DAC_READ_SEARCH
> is ok
> CAP_FOWNER
> is ok
> CAP_FSETID
> is ok
> CAP_IPC_LOCK
> is ok
> CAP_IPC_OWNER
> is ok
> CAP_KILL
> is ok
> CAP_LEASE
> is ok
> CAP_LINUX_IMMUTABLE
> is ok
> CAP_MAC_ADMIN
> should be dropped
> CAP_MAC_OVERRIDE
> should be dropped
> CAP_MKNOD
> should be dropped
> CAP_NET_ADMIN
> is ok
> CAP_NET_BIND_SERVICE
> is ok
> CAP_NET_BROADCAST
> is ok
> CAP_NET_RAW
> ok?
>
yes for the ping command for example.
> CAP_SETGID
> is ok
> CAP_SETFCAP
> should be dropped
> CAP_SETPCAP
> should be dropped
> CAP_SETUID
> is ok
> CAP_SYS_ADMIN
> should be dropped
>
The init process (upstart version) will need this because it mounts
internally /proc and /sys.
Some other services will need it like automount.
> CAP_SYS_BOOT
> should be dropped
>
Always dropped today in the lxc-start code.
> CAP_SYS_CHROOT
> should be dropped
> CAP_SYS_MODULE
> should be dropped
> CAP_SYS_NICE
> should be dropped
>
The cgroup scheduler will protect the host and the other containers from
an abusive nice and the cpuset will prevent unauthorized affinity. So it
is safe to keep it I guess.
> CAP_SYS_PACCT
> should be dropped
> CAP_SYS_PTRACE
> is ok
> CAP_SYS_RAWIO
> should be dropped
> CAP_SYS_RESOURCE
> should be dropped
> CAP_SYS_TIME
> should be dropped
>
yes and ensure /dev/rtc is read-only and protected with the cgroup
devices whitelist.
> CAP_SYS_TTY_CONFIG
> should be dropped
>
I am not sure, won't getty need it ?
Thanks
-- Daniel
More information about the lxc-users
mailing list