[lxc-users] Unprivileged Container and bind-mounting /dev/...
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Jan 23 23:18:39 UTC 2015
Quoting Dirk Geschke (dirk at lug-erding.de):
> Hi Serge,
>
> thanks for the response!
>
> > Unprivileged containers are started in a new user namespace. Root
> > in the container is mapped to another uid on the host, and is allowed
> > privileged access to any resources which the unprivileged user owns.
>
> That's one of the reasons, I like the idea of uprivileged containers.
>
> > You can't mount most filesystems, but bind mounting is ok. The source
> > node retains its ownership (uid -1, so you can't modify it), and if
> > you start any setuid-root programs they will be run as root in your
> > container, your user on the host, so you can only damage yourself.
>
> That's the point I'm missing. Can a normal user bind mount e.g.
> /dev/random somewhere else? I think, only root can do this?
>
> If I try as a normal user this command
>
> mount("/dev/random","/home/geschke/random","none",MS_BIND|MS_REC, 0)
As the normal user, if you run the setuid-root /usr/bin/passwd, it will
run as root on the host.
You have to create a new user namespace where uid 0 in the namespace is
your uid (say 1000) on the host. So then if you run setuid-root
/usr/bin/passwd, it will actually run as uid 1000 on the host and not be
able to write to /etc/shadow. That makes it safe for you to manipulate
your environment by bind-mounting to your hearts' content.
So you could do
lxc-unshare -s "USER|MOUNT" -- /bin/bash
and then from that shell you could mount /dev/rnadom to /home/geschke/random.
Actually the example you show above would for the most part be safe
anyway, and some time ago (around 2007?) there was work to try and
allow such mounts, so long as you had write access to the mount
target. The work was dropped because there turned out to be some
complications - it could have proceeded if we'd had working revoke,
iiuc.
> I get a
>
> mount: Operation not permitted
>
> Where is my mistake?
>
> Ah, as root in a container, it seems to work. But why? Is this a
> feature of the user namespace?
Exactly.
> Sorry, it works fine, but I'm just curious...
>
> Best regards
>
> Dirk
> --
> +----------------------------------------------------------------------+
> | Dr. Dirk Geschke / Plankensteinweg 61 / 85435 Erding |
> | Telefon: 08122-559448 / Mobil: 0176-96906350 / Fax: 08122-9818106 |
> | dirk at geschke-online.de / dirk at lug-erding.de / kontakt at lug-erding.de |
> +----------------------------------------------------------------------+
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list