[Lxc-users] FUSE and capabilities
Trent W. Buck
twb at cybersource.com.au
Thu Feb 17 05:04:54 UTC 2011
Milan Zamazal <pdm at zamazal.org> writes:
>>>>>> "TWB" == Trent W Buck <twb at cybersource.com.au> writes:
>
> TWB> I suppose if I had to support desktop wank, I would set up a
> TWB> udev rule on the host to mount removable devices in
> TWB> /media/<VOL ID>, and then rbind-mount /media into the
> TWB> container(s).
>
> This might be a good idea for some systems, but it wouldn't work well
> for things like formatting, burning or using FUSE.
>
> Perhaps the proper solution would be to add a new capability for secure
> mounts to the kernel. The question is how much damage can be done in
> theory to the host and other containers when a container is given the
> CAP_SYS_ADMIN capability, assuming lxc.cgroup.devices are set properly?
> I don't care much about DoS problems as those can happen with almost any
> non-paranoid setup.
Hm, for privileged operations specific to mounting removable media,
GNOME and KDE do hairy complicated stuff with IPC frameworks built on
top of dbus (unless KDE is still using a setuid pmount(8)?). If you can
work out how to turn that dbus IPC into an RPC between the container and
the dom0, then you would have the necessary escalation to SYS_ADMIN...
> But can CAP_SYS_ADMIN significantly increase risk of compromising the
> host or other containers?
I assume so, but I can't think of a specific attack offhand.
More information about the lxc-users
mailing list