[lxc-users] What's the best way to copy file from host to container?

Fiedler Roman Roman.Fiedler at ait.ac.at
Thu Apr 30 07:22:51 UTC 2015


> Von: lxc-users [mailto:lxc-users-bounces at lists.linuxcontainers.org] Im 
> Auftrag
>
> Greetings, LXC users mailing-list!
>
> >> > What about packing the files with e.g. cpio on the host and injecting 
> >> > them
> via
> >> > pipe to ns-attached cpio-process running in guest scope.
> >>
> >> > This also works around guest to host privilege escalation if malicious
> >> > guest
> >> > content moves around fs-tree parts while copying.
> >>
> >> Could you please elaborate that? May be give an example implementation?
>
> > Example: I want to inject two files, one owned by root other one by user. 
> > All
> > commands on host:
>
> > # start in empty directory on host
> > touch x
> > touch y
> > chown 1000.100 y
>
> > find . | cpio -o | lxc-attach --name lxc-guest -- cpio -i -d
>
> > As second cpio runs within guest, it will automatically pick up the 
> > correct
> > uid namespace. With "tar" you can even select if you want to inject files 
> > by
> > (guest) file-UIDs or use the intelligent tar username-to-uid mapping
> > algorithm.
>
> > Apart from that, as second cpio is not only "chrooted", but running in
> > unprivileged namespace of container, malicious container cannot escalate
> to
> > host using the cpio via trivial symlinking. To my knowledge, malicious 
> > guest
> > may still escalate to host due to TIOCSTI syscall if guest root user is
> > malicious and e.g. places a malicious libc in container and injection
> command
> > is called from terminal. But method is safe with malicious guest 
> > non-root-uid
> > processes, escape should be impossible already in that case. By detaching
> the
> > injection process on host from any controlling tty, you could even 
> > eliminate
> > the last guest-host escalation risk also. To my knowledge, this is the 
> > only
> > secure way to inject files into a running container just involving file 
> > system
> > and pipes (no network).
>
> Thank you, much appreciated.
> It didn't occurred to me that I could pipe something to lxc-attach :)

Yes, but be aware of the risks involved and use carefully. There should be 
quite some ways for a malicious guest to influence the host. If I'm not wrong, 
but changing the command from above to

find . | cpio -o | lxc-attach --name lxc-guest -- cpio -i -d < /dev/null

might allow guest to cause service errors in arbitrary host processes when 
they try to access /dev/null.

But perhaps LXC pros could confirm or dismiss this assumption.

Roman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6344 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150430/cc98a4e1/attachment.bin>


More information about the lxc-users mailing list