Re: [lxc-users] Samba4 DC in an unprivileged container

2018-02-07 Thread Stéphane Graber 
On Wed, Feb 07, 2018 at 06:28:50PM +0300, Andrey Repin wrote:
> Greetings, Frank Dornheim!
> 
> > im trying to setup a Samba4 AD in a unprivileged container:
> >  
> >  
> >  
> > My OS is a ubuntu 17.10 server an my container is a ubuntu 17.10.
> >  
> > My lxd version is:
> >  
> >  Package: lxd 
> >  Version: 2.18-0ubuntu6
> 
> > First, I have a working setup as a "privileged container".
> >  
> > But I want to secure my installation and transfer samba4 in an unprivileged 
> > container.
> 
> Unprivileged containers are no more secure than privileged containers,
> generally speaking.

Hmm, what?

A privileged container has uid 0 in the container be uid 0 at the kernel level.
An unprivileged container has uid 0 in the container mapped to uid
10 at the kernel level.

Unprivileged containers are MASSIVELY more secure than privileged containers.
There are numerous ways to escape a privileged container which just down
to the fact that you are running with full kernel privileges and so
entirely rely on things like capabilities and LSMs to protect your
system.

Unprivileged containers on the other hand are safe by-design. An attack
which would allow root in an unprivileged container to escape to the
host, would also be a user to root privilege escalation but for every
normal Linux systems. There are some of those every so often, they are
critical kernel security bugs and they do get fixed very quickly.

Unprivileged containers do not need a perfectly configured seccomp,
apparmor, capabilities set or cgroups to be safe, all of those are
merely extra safety nets in case the main privilege enforcement (user
namespace) fails due to a critical kernel security bug.

> > I get the lower error message when I do the setup with samba-tool domain 
> > provision.
> 
> Can you post your smb.conf before provisioning?
> 
> 
> -- 
> With best regards,
> Andrey Repin
> Wednesday, February 7, 2018 18:26:59
> 
> Sorry for my terrible english...
> 
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com


signature.asc
Description: PGP signature
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Samba4 DC in an unprivileged container

2018-02-07 Thread Andrey Repin 
Greetings, Frank Dornheim!

> im trying to setup a Samba4 AD in a unprivileged container:
>  
>  
>  
> My OS is a ubuntu 17.10 server an my container is a ubuntu 17.10.
>  
> My lxd version is:
>  
>  Package: lxd 
>  Version: 2.18-0ubuntu6

> First, I have a working setup as a "privileged container".
>  
> But I want to secure my installation and transfer samba4 in an unprivileged 
> container.

Unprivileged containers are no more secure than privileged containers,
generally speaking.

> I get the lower error message when I do the setup with samba-tool domain 
> provision.

Can you post your smb.conf before provisioning?


-- 
With best regards,
Andrey Repin
Wednesday, February 7, 2018 18:26:59

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Samba4 DC in an unprivileged container

2018-02-07 Thread brian mullan 
Did you try to create/ configure a totally new Samba4 unprivileged
container or just clone your Workin privileged one and then convert the
clone to unprivileged using:

lxc config set $CONTAINER_NAME security.privileged false
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users