[lxc-users] Linuxcontainers security?
Stéphane Graber
stgraber at ubuntu.com
Sun Mar 19 16:43:45 UTC 2017
On Sun, Mar 19, 2017 at 05:08:24PM +0100, Ingo Baab wrote:
> Hi LXD/LXC Users,
>
> today I read that at the hacking contest "Pwn2Own" 'they' escaped from a
> VMWare
> (running Windows10) using three exploits together (exploiting Edge and using
> a windows-
> 10-kernel-hack..) [1].
>
> I asked myself, how secure is a (my) LXD/LXC container system?
>
> How do you 'estimate' the security running a webhosting-container as I do
> getting compromised?
> I do successfully setup and run nginx, php7, redis-server, mysql-server on
> my linux-containers.
>
> Any information or links are highly apreciated,
> Ingo Baab
> ___
> [1] https://arstechnica.com/security/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/
See https://linuxcontainers.org/lxc/security/
So it depends on:
- Container is unprivileged or not
- If unprivileged, uses dedicated id map
- Container uses secure network
- Resource limits applied to the container
If all of that is done properly, then you're fine so long as there
aren't any kernel issue allowing privilege escalation. Which would be a
big problem regardless of whether you're running things in a container
or not.
One thing that tends to always be true is that running the same code
inside a container instead of directly on the host will not make things
any worse.
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170319/be15b92d/attachment.sig>
More information about the lxc-users
mailing list