[lxc-users] What's the best way to copy file from host to container?

Tue Apr 28 19:18:00 UTC 2015

Greetings, LXC users mailing-list!

>> > What about packing the files with e.g. cpio on the host and injecting them via
>> > pipe to ns-attached cpio-process running in guest scope.
>>
>> > This also works around guest to host privilege escalation if malicious 
>> > guest
>> > content moves around fs-tree parts while copying.
>>
>> Could you please elaborate that? May be give an example implementation?

> Example: I want to inject two files, one owned by root other one by user. All 
> commands on host:

> # start in empty directory on host
> touch x
> touch y
> chown 1000.100 y

> find . | cpio -o | lxc-attach --name lxc-guest -- cpio -i -d

> As second cpio runs within guest, it will automatically pick up the correct 
> uid namespace. With "tar" you can even select if you want to inject files by 
> (guest) file-UIDs or use the intelligent tar username-to-uid mapping 
> algorithm.

> Apart from that, as second cpio is not only "chrooted", but running in 
> unprivileged namespace of container, malicious container cannot escalate to 
> host using the cpio via trivial symlinking. To my knowledge, malicious guest 
> may still escalate to host due to TIOCSTI syscall if guest root user is 
> malicious and e.g. places a malicious libc in container and injection command 
> is called from terminal. But method is safe with malicious guest non-root-uid 
> processes, escape should be impossible already in that case. By detaching the 
> injection process on host from any controlling tty, you could even eliminate 
> the last guest-host escalation risk also. To my knowledge, this is the  only 
> secure way to inject files into a running container just involving file system
> and pipes (no network).

Thank you, much appreciated.
It didn't occurred to me that I could pipe something to lxc-attach :)

-- 
With best regards,
Andrey Repin
Tuesday, April 28, 2015 22:16:56

Sorry for my terrible english...