[Lxc-users] Disable write access to /dev/rtc in templates
Christoph Mitasch
cmitasch at thomas-krenn.com
Tue Apr 30 16:03:28 UTC 2013
Hello,
I did some testing with "rm" access to /dev/rtc. It seems that this is not enough.
I did a strace with the hwclock --set command and found out that it is doing an ioctl(RTC_SET_TIME). This works even if /dev/rtc is not allowed to write.
# echo test > /dev/rtc
-bash: /dev/rtc: Operation not permitted
# hwclock
Tue Apr 30 18:02:00 2013 -0.290344 seconds
# hwclock --set --date 18:02 --debug
...
Using /dev interface to clock.
...
ioctl(RTC_SET_TIME) was successful.
...
I finally got it working as expecting when dropping the sys_time capability.
lxc.cap.drop = sys_time
I think both the write permission for /dev/rtc and the sys_time capability should be removed in the templates!
Regards,
Christoph
----- Ursprüngliche Mail -----
> Von: "Serge Hallyn" <serge.hallyn at ubuntu.com>
> An: "Christoph Mitasch" <cmitasch at thomas-krenn.com>
> CC: lxc-users at lists.sourceforge.net
> Gesendet: Dienstag, 30. April 2013 15:17:40
> Betreff: Re: [Lxc-users] Disable write access to /dev/rtc in templates
>
> Quoting Christoph Mitasch (cmitasch at thomas-krenn.com):
> > Hello,
> >
> > we recently discovered that a container was able to modify the
> > hardware clock of a server.
> >
> > When checking the lxc configuration I found out that rwm access to
> > /dev/rtc was granted.
> >
> > Unfortunately most lxc templates allow write access per default.
> > http://lxc.git.sourceforge.net/git/gitweb.cgi?p=lxc/lxc;a=tree;f=templates
> >
> > This was already discussed a few years ago:
> > http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg00718.html
> >
> > I would recommend to modify access to /dev/rtc in the templates.
> > Or are there any caveats to do so?
>
> Thanks for the reminder.
>
> I can't think of any.
>
> If noone else speaks up by tomorrow, I'll update the templates to
> make it 'rm'.
>
More information about the lxc-users
mailing list