[lxc-users] [SOLVED] Re: Finding the physical path of a binary running in container

Aaron Lewis the.warl0ck.1989 at gmail.com
Sun Sep 7 01:20:37 UTC 2014


Hi Serge,

Thanks! the 'root' item in procfs did the work

On Fri, Sep 5, 2014 at 2:10 AM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting Aaron Lewis (the.warl0ck.1989 at gmail.com):
>> Hi,
>>
>> I have a program, say /usr/bin/nginx running in a container.
>> Now on the host machine, when I check /proc/pid/exe it points to
>> "/usr/bin/nginx" which is not the physical path
>>
>> Is there any way to get the correct path?
>
> Short answer, depends on how robust you want it to be.
>
> Even shorter answer, there is no "correct path".
>
> A few points,
>
> 1. you can look under /proc/pid/root/ to see the path
> which is being talked about.
>
> 2. however that may have already been changed due to either
> a 'rm /bin/ls; cp /bin/ls.new /bin/ls' or a unshare(CLONE_NEWNS)
> by nginx.
>
> 3. I'm actually not sure whether, if you open /proc/self/exe,
> if that will actually open the file that was executed regardless
> of (2), or whether it will walk the path and open the new file.
>
> 4. The actual /proc/pid/root of the container is *not*
> /var/lib/lxc/c1/rootfs, it's /usr/lib/x86_64-linux-gnu/lxc
> onto which either /var/lib/lxc/c1/rootfs or some other rootfs
> was mounted in a new namespace.  So really you have no definately
> valid path to the binary.
>
> 5. subject to (2), you can also setns(2) to the /proc/pid/ns/mnt
> of the container task and then open the path, as an alternative
> to using /proc/pid/root.
>
> Ideally what you'd have is a (device:inode_number) stored somewhere
> under /proc/pid, but I don't see it.  It's also not as valuable as
> you'd think, since /proc/pid/exe may have already been attacked with
> a buffer overflow, mmap()d /bin/shadow and jumped into that memory,
> i.e. not be running /proc/pid/exe at all any more.
>
> -serge
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users



-- 
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print:   9F67 391B B770 8FF6 99DC  D92D 87F6 2602 1371 4D33


More information about the lxc-users mailing list