[lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

Saint Michael venefax at gmail.com
Wed Jan 13 23:01:22 UTC 2016


I noticed that lxc-attach does not run
source /etc/profile
and that is an issue since we set many environment variables and settings
that are needed for what comes next.
Is there a workaround?

On Wed, Jan 13, 2016 at 4:49 PM, Serge Hallyn <serge.hallyn at ubuntu.com>
wrote:

> Quoting Carlos Alberto Lopez Perez (clopez at igalia.com):
> > On 11/01/16 23:36, Serge Hallyn wrote:
> > > The lxc-attach weakness I mentioned does not apply to 'lxc exec',
> because
> > > lxd interposes a pty between your console and the container's.
> >
> > I understand that I could do the same (get a fresh PTY before attaching)
> with
> > (for example): "screen lxc-attach ..." [1]
> >
> > Do you think it will be a good idea to patch lxc-attach to automatically
> do
> > that (get a fresh PTY before attaching) ?
>
> Yes, I'd really like someone to do that.  It's on my list,
> but that list is pretty long.
>
> > Will this solve all know security issues regarding the usage of
> lxc-attach ?
>
> I think so.
>
> > Or there is something more than I'm missing other than the PTY
> vulnerability?
> >
> >
> > Regards.
> >
> > [1] https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html
> >
>
>
>
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160113/b11c1e0b/attachment.html>


More information about the lxc-users mailing list