*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Jamie Strandboge (jdstrand):
Binary package hint: lxc Bug related information: # lsb_release -rd Description: Ubuntu 10.04.1 LTS Release: 10.04 # apt-cache policy lxc lxc: Installed: 0.7.2-1~10.04~csz1 Candidate: 0.7.2-1~10.04~csz1 Version table: *** 0.7.2-1~10.04~csz1 0 500 http://ppa.launchpad.net/cszikszoy/ppa/ubuntu/ lucid/main Packages 100 /var/lib/dpkg/status 0.6.5-1 0 500 http://mirror.switch.ch/ftp/mirror/ubuntu/ lucid/universe Packages (NEVERMIND if I am using a PPA version: it's the same version you're using in Maverick and I don't think this is causing the issue that I am facing now). I created a system image by using the tool "lxc-create" and by using the included templates (I even created images myself without this tool, and nothing changes with this issue) The tool makes all the necessary steps to create the image (debootstrap and so on) and, at the end of the process, it creates a config file suitable for that image. One of the last rows of the config file is: lxc.mount.entry=proc /lxc/cont_1/rootfs/proc proc nodev,noexec,nosuid 0 0 same identical problem happens if I comment out this row and I mount /proc myself from /etc/fstab inside the container The problem arises when I issue the command: echo b > /proc/sysrq-trigger In this case the host machine will power-off, and not the container. It's possible to check what I said, without harming your server, just by running a sync command on the container: echo s > /proc/sysrq-trigger and than checking /var/log/messages on the host server. You'll see that the command is intercepted from the host and not from the container. Right now, I have no idea how to circumvent this issue, and if this problem persist, I feel the security of LXC is heavily compromised. ** Affects: lxc (Ubuntu) Importance: Medium Status: Confirmed -- lxc container can power-off host machine https://bugs.edge.launchpad.net/bugs/645625 You received this bug notification because you are a member of Ubuntu Server Team, which is a direct subscriber. -- Ubuntu-server-bugs mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
