On Mon, Nov 11, 2013 at 01:19:25PM +0100, Adam Ryczkowski wrote: > Last year I've read many times, that LXC have some outstanding > security issues, and are the encapsulation is not tight enough to > prevent hijacking the host, when the guest is compromised. But I > never managed to find out, how exactly does one escape the LXC > container. > > I'm using the LXC containers as a holders for virtual computers > (just as advertized in > https://help.ubuntu.com/12.04/serverguide/lxc.html) in hope, that > this will make another line of defense against hackers anyway. > > Recently the host got hacked (Ubuntu 12.04 precise with kernel > 3.8.2) , and I have renewed suspicions about the impenetrability of > LXC. > > I wonder what is the state of affairs now. How does one implement > virtual computers inside LXC containers, so root on a guest cannot > get root rights on host?
If you have a process running as "root" inside the container, then you should assume it is *insecure* unless the container is configured with either a user namespace uid+gid mapping, or some mandatory access control (MAC) system like SELinux / AppArmour. Without the uid/gid mapping or a MAC layer, root in the container has all sorts of access to stuff in sysfs & procfs that it can use to cause havoc in the host, and quite possibly other things besides. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
