[lxc-users] What's the best way to copy file from host to container?
Fiedler Roman
Roman.Fiedler at ait.ac.at
Tue Apr 28 15:44:38 UTC 2015
Hello Andrey,
> Von: lxc-users [mailto:lxc-users-bounces at lists.linuxcontainers.org] Im
> Auftrag
>
> Greetings, Fiedler Roman.
>
> Monday, April 27, 2015, 09:14:26 you wrote:
>
> >> This seems to be the perfect solution, I can just copy over to the path
> >> like
> >> proc/12423/root/usr/local, without worrying about snapshot clone uses
> >> delta0, rather than root in the container folder. After I moved the file,
> >> I
> >> still need to update the file permissions and ownership though.
>
> > What about packing the files with e.g. cpio on the host and injecting them
> via
> > pipe to ns-attached cpio-process running in guest scope.
>
> > This also works around guest to host privilege escalation if malicious
> > guest
> > content moves around fs-tree parts while copying.
>
> Could you please elaborate that? May be give an example implementation?
Example: I want to inject two files, one owned by root other one by user. All
commands on host:
# start in empty directory on host
touch x
touch y
chown 1000.100 y
find . | cpio -o | lxc-attach --name lxc-guest -- cpio -i -d
As second cpio runs within guest, it will automatically pick up the correct
uid namespace. With "tar" you can even select if you want to inject files by
(guest) file-UIDs or use the intelligent tar username-to-uid mapping
algorithm.
Apart from that, as second cpio is not only "chrooted", but running in
unprivileged namespace of container, malicious container cannot escalate to
host using the cpio via trivial symlinking. To my knowledge, malicious guest
may still escalate to host due to TIOCSTI syscall if guest root user is
malicious and e.g. places a malicious libc in container and injection command
is called from terminal. But method is safe with malicious guest non-root-uid
processes, escape should be impossible already in that case. By detaching the
injection process on host from any controlling tty, you could even eliminate
the last guest-host escalation risk also. To my knowledge, this is the only
secure way to inject files into a running container just involving file system
and pipes (no network).
Roman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6344 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150428/5b358e98/attachment.bin>
More information about the lxc-users
mailing list