[Lxc-users] How much LXC is secure?

Leonid Isaev lisaev at umail.iu.edu
Mon Nov 11 17:04:51 UTC 2013


On Mon, 11 Nov 2013 13:49:11 +0100
Adam Ryczkowski <adam.ryczkowski at statystyka.net> wrote:

> On 11.11.2013 13:43, Daniel P. Berrange wrote:
> > On Mon, Nov 11, 2013 at 01:19:25PM +0100, Adam Ryczkowski wrote:
> >> Last year I've read many times, that LXC have some outstanding
> >> security issues, and are the encapsulation is not tight enough to
> >> prevent hijacking the host, when the guest is compromised. But I
> >> never managed to find out, how exactly does one escape the LXC
> >> container.
> >>
> >> I'm using the LXC containers as a holders for virtual computers
> >> (just as advertized in
> >> https://help.ubuntu.com/12.04/serverguide/lxc.html) in hope, that
> >> this will make another line of defense against hackers anyway.
> >>
> >> Recently the host got hacked (Ubuntu 12.04 precise with kernel
> >> 3.8.2) , and I have renewed suspicions about the impenetrability of
> >> LXC.
> >>
> >> I wonder what is the state of affairs now. How does one implement
> >> virtual computers inside LXC containers, so root on a guest cannot
> >> get root rights on host?
> > If you have a process running as "root" inside the container, then
> > you should assume it is *insecure* unless the container is configured
> > with either a user namespace uid+gid mapping, or some mandatory
> > access control (MAC) system like SELinux / AppArmour.  Without the
> > uid/gid mapping or a MAC layer, root in the container has all sorts
> > of access to stuff in sysfs & procfs that it can use to cause havoc
> > in the host, and quite possibly other things besides.
> >
> > Daniel
> Do you know by chance, how does it apply to the long Ubuntu 12.04? It 
> uses AppArmour, but how sufficiently it is configured out-of-the-box?
> 
> How to check if the server uses uid+gid mapping?

As far as I know, the only "distro" which has user namespaces at the moment is
Fedora rawhide (FC21) with the kernel 3.12. I think Ubuntu 14.04 plans to
include those, but I don't know the status of this. See the discussion here:
https://bugs.archlinux.org/task/36969 . 

On your system run
$ lxc-checkconfig | grep "User namespace"
to check if user namespaces are enabled on your host.

Cheers,
Leonid.

> 
> Thank you,
> 
> Adam
> 
> ------------------------------------------------------------------------------
> November Webinars for C, C++, Fortran Developers
> Accelerate application performance with scalable programming models. Explore
> techniques for threading, error checking, porting, and tuning. Get the most 
> from the latest Intel processors and coprocessors. See abstracts and register
> http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
> _______________________________________________
> Lxc-users mailing list
> Lxc-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users



-- 
Leonid Isaev
GnuPG key: 0x164B5A6D
Fingerprint: C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20131111/9c0e9c1e/attachment.pgp>


More information about the lxc-users mailing list