On Sun, Mar 19, 2017 at 05:08:24PM +0100, Ingo Baab wrote: > Hi LXD/LXC Users, > > today I read that at the hacking contest "Pwn2Own" 'they' escaped from a > VMWare > (running Windows10) using three exploits together (exploiting Edge and using > a windows- > 10-kernel-hack..) [1]. > > I asked myself, how secure is a (my) LXD/LXC container system? > > How do you 'estimate' the security running a webhosting-container as I do > getting compromised? > I do successfully setup and run nginx, php7, redis-server, mysql-server on > my linux-containers. > > Any information or links are highly apreciated, > Ingo Baab > ___ > [1] > https://arstechnica.com/security/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/
See https://linuxcontainers.org/lxc/security/ So it depends on: - Container is unprivileged or not - If unprivileged, uses dedicated id map - Container uses secure network - Resource limits applied to the container If all of that is done properly, then you're fine so long as there aren't any kernel issue allowing privilege escalation. Which would be a big problem regardless of whether you're running things in a container or not. One thing that tends to always be true is that running the same code inside a container instead of directly on the host will not make things any worse. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: PGP signature
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
