[Lxc-users] dropping capabilities
richard -rw- weinberger
richard.weinberger at gmail.com
Tue Oct 5 10:34:37 UTC 2010
On Tue, Oct 5, 2010 at 11:23 AM, Daniel Lezcano <daniel.lezcano at free.fr> wrote:
> On 10/04/2010 10:54 PM, richard -rw- weinberger wrote:
>>
>> Hi Daniel!
>>
>> On Mon, Oct 4, 2010 at 9:51 PM, Daniel Lezcano<daniel.lezcano at free.fr>
>> wrote:
>>
>>>
>>> On 10/04/2010 06:18 PM, richard -rw- weinberger wrote:
>>>
>>>>
>>>> On Sun, Oct 3, 2010 at 9:01 PM, richard -rw- weinberger
>>>> <richard.weinberger at gmail.com> wrote:
>>>>
>>>>
>>>>>
>>>>> I'm using lxc to run a few virtual private servers.
>>>>> What capabilities are harmful and should be dropped using
>>>>> "lxc.cap.drop"?
>>>>>
>>>>>
>>>>
>>>> Is my question too trivial or too stupid? ;)
>>>>
>>>>
>>>
>>> hum, not trivial at all :)
>>>
>>> I am not sure there is a default set of capabilities to be dropped.
>>> Certainly some should be dropped like CAP_SYS_MODULE but others will
>>> depend
>>> on what the user expect to do with the container and what scripts will be
>>> run inside the container.
>>>
>>> We have certainly think about the root user inside a container, is it
>>> secure
>>> ? IMO, until the user namespace is not complete, it is not secure.
>>>
>>
>> I thought the user namespace is complete.
>> What is missing?
>>
>
> I am not sure, but something like "who did what", so if you are root on the
> host and you mount a filesystem, when you create an user namespace, will be
> root inside but not the same root as the host, and you won't be able to
> umount what the host's root has mounted before. I didn't followed the
> discussion about this very closely so I may be wrong.
> I prefer let Serge explain what is missing, he will be much more clear than
> me :)
> (cc'ed Serge).
>
>>>> Here what i know so far:
>>>>
>>>> CAP_AUDIT_CONTROL:
>>>> should be dropped
>>>> CAP_AUDIT_WRITE:
>>>> should be dropped
>>>>
>>
>> Update:
>> To run openSUSE within lxc we need both CAP_AUDIT_CONTROL and
>> CAP_AUDIT_WRITE.
>> I think pam uses libaudit.
>>
>>
>>>>
>>>> CAP_CHOWN:
>>>> is ok
>>>> CAP_DAC_OVERRIDE:
>>>> is ok
>>>> CAP_DAC_READ_SEARCH
>>>> is ok
>>>> CAP_FOWNER
>>>> is ok
>>>> CAP_FSETID
>>>> is ok
>>>> CAP_IPC_LOCK
>>>> is ok
>>>> CAP_IPC_OWNER
>>>> is ok
>>>> CAP_KILL
>>>> is ok
>>>> CAP_LEASE
>>>> is ok
>>>> CAP_LINUX_IMMUTABLE
>>>> is ok
>>>> CAP_MAC_ADMIN
>>>> should be dropped
>>>> CAP_MAC_OVERRIDE
>>>> should be dropped
>>>> CAP_MKNOD
>>>> should be dropped
>>>> CAP_NET_ADMIN
>>>> is ok
>>>> CAP_NET_BIND_SERVICE
>>>> is ok
>>>> CAP_NET_BROADCAST
>>>> is ok
>>>> CAP_NET_RAW
>>>> ok?
>>>>
>>>>
>>>
>>> yes for the ping command for example.
>>>
>>
>> Are you sure? Within my openSUSE guest I can use ping without CAP_NET_RAW.
>>
>
> Depending of the distro (eg. fedora), ping uses socket(,SOCK_RAW,).
> This is why this command is setuid root.
>
>>>> CAP_SETGID
>>>> is ok
>>>> CAP_SETFCAP
>>>> should be dropped
>>>> CAP_SETPCAP
>>>> should be dropped
>>>> CAP_SETUID
>>>> is ok
>>>> CAP_SYS_ADMIN
>>>> should be dropped
>>>>
>>>>
>>>
>>> The init process (upstart version) will need this because it mounts
>>> internally /proc and /sys.
>>> Some other services will need it like automount.
>>>
>>
>> IMHO CAP_SYS_ADMIN is a no-go.
>> A jailed root would be able to mount the cgroup filesystem -> game over.
>>
>
> Yep. The cgroup can be remounted in the container but you can prevent the
> access to the directory with SMACK or SeLinux. There is a good document at
> explaining how to do that.
>
> http://www.ibm.com/developerworks/linux/library/l-lxc-security/
Yeah, but there are more problems. For example on my test system /lxc
is a separate filesystem. With CAP_SYS_ADMIN a evil guy could do "ln
-s /proc/mounts /etc/mtab ; mount / -o remount,ro" and all other lxc
instances are unusable...
>>>> CAP_SYS_BOOT
>>>> should be dropped
>>>>
>>>>
>>>
>>> Always dropped today in the lxc-start code.
>>>
>>>
>>>>
>>>> CAP_SYS_CHROOT
>>>> should be dropped
>>>>
>>
>> Update: sshd needs chroot().
>> Is it safe to allow it?
>>
>
> IMHO, yes.
>
>>>> CAP_SYS_MODULE
>>>> should be dropped
>>>> CAP_SYS_NICE
>>>> should be dropped
>>>>
>>>>
>>>
>>> The cgroup scheduler will protect the host and the other containers from
>>> an
>>> abusive nice and the cpuset will prevent unauthorized affinity. So it is
>>> safe to keep it I guess.
>>>
>>>
>>>>
>>>> CAP_SYS_PACCT
>>>> should be dropped
>>>> CAP_SYS_PTRACE
>>>> is ok
>>>> CAP_SYS_RAWIO
>>>> should be dropped
>>>> CAP_SYS_RESOURCE
>>>> should be dropped
>>>> CAP_SYS_TIME
>>>> should be dropped
>>>>
>>>>
>>>
>>> yes and ensure /dev/rtc is read-only and protected with the cgroup
>>> devices
>>> whitelist.
>>>
>>>
>>>>
>>>> CAP_SYS_TTY_CONFIG
>>>> should be dropped
>>>>
>>>>
>>>
>>> I am not sure, won't getty need it ?
>>>
>>
>> You are right. We need it. :-)
>>
>> Thanks so far!
>> //richard
>>
>>
>
>
--
Cheers,
//richard
More information about the lxc-users
mailing list