On Mon, 11 Nov 2013 13:49:11 +0100 Adam Ryczkowski <adam.ryczkow...@statystyka.net> wrote:
> On 11.11.2013 13:43, Daniel P. Berrange wrote: > > On Mon, Nov 11, 2013 at 01:19:25PM +0100, Adam Ryczkowski wrote: > >> Last year I've read many times, that LXC have some outstanding > >> security issues, and are the encapsulation is not tight enough to > >> prevent hijacking the host, when the guest is compromised. But I > >> never managed to find out, how exactly does one escape the LXC > >> container. > >> > >> I'm using the LXC containers as a holders for virtual computers > >> (just as advertized in > >> https://help.ubuntu.com/12.04/serverguide/lxc.html) in hope, that > >> this will make another line of defense against hackers anyway. > >> > >> Recently the host got hacked (Ubuntu 12.04 precise with kernel > >> 3.8.2) , and I have renewed suspicions about the impenetrability of > >> LXC. > >> > >> I wonder what is the state of affairs now. How does one implement > >> virtual computers inside LXC containers, so root on a guest cannot > >> get root rights on host? > > If you have a process running as "root" inside the container, then > > you should assume it is *insecure* unless the container is configured > > with either a user namespace uid+gid mapping, or some mandatory > > access control (MAC) system like SELinux / AppArmour. Without the > > uid/gid mapping or a MAC layer, root in the container has all sorts > > of access to stuff in sysfs & procfs that it can use to cause havoc > > in the host, and quite possibly other things besides. > > > > Daniel > Do you know by chance, how does it apply to the long Ubuntu 12.04? It > uses AppArmour, but how sufficiently it is configured out-of-the-box? > > How to check if the server uses uid+gid mapping? As far as I know, the only "distro" which has user namespaces at the moment is Fedora rawhide (FC21) with the kernel 3.12. I think Ubuntu 14.04 plans to include those, but I don't know the status of this. See the discussion here: https://bugs.archlinux.org/task/36969 . On your system run $ lxc-checkconfig | grep "User namespace" to check if user namespaces are enabled on your host. Cheers, Leonid. > > Thank you, > > Adam > > ------------------------------------------------------------------------------ > November Webinars for C, C++, Fortran Developers > Accelerate application performance with scalable programming models. Explore > techniques for threading, error checking, porting, and tuning. Get the most > from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk > _______________________________________________ > Lxc-users mailing list > Lxc-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-users -- Leonid Isaev GnuPG key: 0x164B5A6D Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
