[Lxc-users] security question

Stéphane Graber stgraber at ubuntu.com
Fri Aug 19 23:42:16 UTC 2011


On 08/19/2011 03:54 PM, Ulli Horlacher wrote:
> On Fri 2011-08-19 (15:38), Dong-In David Kang wrote:
>
>> We've found out that inside of an LXC instance, root can insert/remove modules of the host.
>> Is it normal?
>> If it is doable, an LXC image may corrupt the host system, which is not good in terms of security.
>
> Put:
>
> lxc.cap.drop = sys_module
>
> to your LXC container config file.
> And by the way:
>
> lxc.cap.drop = sys_admin
>
> is also a good idea, to prevent that the container root can modify mount
> options, for example set the container filesystem to read-only, which can
> effect ALL containers!

So, for a more generic answer:

LXC doesn't pretend to be secure when you run stuff as root inside the 
container. The proposed solutions above will restrict what root can do 
and so may solve a good part of your issues.

Stuff like "echo b > /proc/sysrq-trigger" will still be possible until 
we get the user namespaces (that specific example could be blocked by 
some of the security modules though).

Last week during the LXC/container hackfest in Austin, there's been some 
good progress being done on the user namespace and so we can hope to 
have these eventually implemented in the kernel.

Until then, I'd recommend not running untrusted software as root in a 
container. It's perfectly safe to run something as a user though.

For cases where you trust your container user, like development 
environments, it's of course fine running stuff as root and I do that 
everyday.

Hope that clarifies the current situation :)

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com




More information about the lxc-users mailing list