[Lxc-users] Root-less containers?
Robert Kawecki
thewanderer at gim11.pl
Sun Feb 6 23:52:02 UTC 2011
On Sun, 06 Feb 2011 18:23:41 +1300, Gary Ballantyne
<gary.ballantyne at haulashore.com> wrote:
> On 2/6/2011 3:56 PM, John Drescher wrote:
>>> Is this important if, say, a malicious user has access to a container?
>>> Or, can a container be configured such that they could do little harm?
>>
>> You can easily make a container have its own filesystem and no access
>> to the host's filesystem or devices. Is that what you are getting at?
>>
>
> Say we have a process P, which accepts an input file from the user.
> Further, suppose that P allows access to the command line -- and so a
> user can potentially execute any command in the container.
>
> To prevent malicious use, one option is to parse the input -- but
> running P in a container with minimal resources seems a much better
option.
>
> I am trying to put a proof-of-concept together, and the root vs. normal
> user issue seemed relevant. Perhaps a better question would have been,
> what is the practical difference between the container running as a root
> user and a normal user?
Right now, there is no big difference security-wise since a setuid() in
the container, without working user namespaces, is equivalent to setuid()
on the host system, and gaining root in the container can be done via the
same exploits that would otherwise be possible on a non-virtualized system.
Therefore, instead of thinking about running a container as root, one
should ask how to properly separate the container from the rest of the
system. This is, apparently, not as easy as it seems - there was a rootkit
a few months ago that was capable of breaking out of OpenVZ and
Linux-Vserver, and with the more loose security model of LXC currently, it
seems trivial...
To run an application in a container, use lxc-execute as always, but keep
in mind that it does not make the system immune to attacks - currently,
containers themselves can not be configured to do little harm. However,
Linux kernel patches and LSM's can defend the host system as long as the
kernel is kept intact. They do so from the level of the host system, as
demonstrated in an IBM's article.
Remember, the system is as secure as the weakest link. You need to both
sanitize the application input and use isolation, not choose one over
another.
More information about the lxc-users
mailing list