[Lxc-users] dropping capabilities

richard -rw- weinberger richard.weinberger at gmail.com
Mon Oct 4 20:54:15 UTC 2010 

Hi Daniel!

On Mon, Oct 4, 2010 at 9:51 PM, Daniel Lezcano <daniel.lezcano at free.fr> wrote:
> On 10/04/2010 06:18 PM, richard -rw- weinberger wrote:
>>
>> On Sun, Oct 3, 2010 at 9:01 PM, richard -rw- weinberger
>> <richard.weinberger at gmail.com>  wrote:
>>
>>>
>>> I'm using lxc to run a few virtual private servers.
>>> What capabilities are harmful and should be dropped using "lxc.cap.drop"?
>>>
>>
>> Is my question too trivial or too stupid? ;)
>>
>
> hum, not trivial at all :)
>
> I am not sure there is a default set of capabilities to be dropped.
> Certainly some should be dropped like CAP_SYS_MODULE but others will depend
> on what the user expect to do with the container and what scripts will be
> run inside the container.
>
> We have certainly think about the root user inside a container, is it secure
> ? IMO, until the user namespace is not complete, it is not secure.

I thought the user namespace is complete.
What is missing?

>> Here what i know so far:
>>
>> CAP_AUDIT_CONTROL:
>>   should be dropped
>> CAP_AUDIT_WRITE:
>>   should be dropped

Update:
To run openSUSE within lxc we need both CAP_AUDIT_CONTROL and CAP_AUDIT_WRITE.
I think pam uses libaudit.

>> CAP_CHOWN:
>>   is ok
>> CAP_DAC_OVERRIDE:
>>   is ok
>> CAP_DAC_READ_SEARCH
>>   is ok
>> CAP_FOWNER
>>   is ok
>> CAP_FSETID
>>   is ok
>> CAP_IPC_LOCK
>>   is ok
>> CAP_IPC_OWNER
>>   is ok
>> CAP_KILL
>>   is ok
>> CAP_LEASE
>>   is ok
>> CAP_LINUX_IMMUTABLE
>>   is ok
>> CAP_MAC_ADMIN
>>   should be dropped
>> CAP_MAC_OVERRIDE
>>   should be dropped
>> CAP_MKNOD
>>   should be dropped
>> CAP_NET_ADMIN
>>   is ok
>> CAP_NET_BIND_SERVICE
>>   is ok
>> CAP_NET_BROADCAST
>>   is ok
>> CAP_NET_RAW
>>   ok?
>>
>
> yes for the ping command for example.

Are you sure? Within my openSUSE guest I can use ping without CAP_NET_RAW.

>>
>> CAP_SETGID
>>   is ok
>> CAP_SETFCAP
>>   should be dropped
>> CAP_SETPCAP
>>   should be dropped
>> CAP_SETUID
>>   is ok
>> CAP_SYS_ADMIN
>>   should be dropped
>>
>
> The init process (upstart version) will need this because it mounts
> internally /proc and /sys.
> Some other services will need it like automount.

IMHO CAP_SYS_ADMIN is a no-go.
A jailed root would be able to mount the cgroup filesystem -> game over.

>>
>> CAP_SYS_BOOT
>>   should be dropped
>>
>
> Always dropped today in the lxc-start code.
>
>> CAP_SYS_CHROOT
>>   should be dropped

Update: sshd needs chroot().
Is it safe to allow it?

>> CAP_SYS_MODULE
>>   should be dropped
>> CAP_SYS_NICE
>>   should be dropped
>>
>
> The cgroup scheduler will protect the host and the other containers from an
> abusive nice and the cpuset will prevent unauthorized affinity. So it is
> safe to keep it I guess.
>
>> CAP_SYS_PACCT
>>   should be dropped
>> CAP_SYS_PTRACE
>>   is ok
>> CAP_SYS_RAWIO
>>   should be dropped
>> CAP_SYS_RESOURCE
>>   should be dropped
>> CAP_SYS_TIME
>>   should be dropped
>>
>
> yes and ensure /dev/rtc is read-only and protected with the cgroup devices
> whitelist.
>
>> CAP_SYS_TTY_CONFIG
>>   should be dropped
>>
>
> I am not sure, won't getty need it ?

You are right. We need it. :-)

Thanks so far!
//richard

More information about the lxc-users mailing list