Re: [lxc-users] Is an unprivileged LXC where the host user itself is mapped to 0 less secure of one where one of its subids is mapped to 0, and why?
On Mon, Oct 5, 2015 at 11:58 PM, Fabio Tudone (fa...@paralleluniverse.co) wrote: > On 09/30/2015 08:38 PM, Serge Hallyn wrote: >>> >>> On a more practical level what could be the security implications? >>> Are there host resources that a malicious program could compromise >>> when running in a container with the capabilities of a regular host >>> user mapped in there? Even because of (hypothetical) system issues / >>> bugs / vulnerabilities. Can someone think of actual examples? >> >> yes. > > > Could you expand on that? What could happen for example? I'm no security > expert but I'm interested in understanding the implications. I believe the simplest example would probably be from Stephane's blog: https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/ . User 1000 in the host is mapped to the same uid on the container, for the purpose of easy configuration of X and sound access from the container. Should some security vulnerability occur that allows the user to escape the container (or run arbitrary command inside the host), the "escaped" user will be restricted as uid 1000, which is theoretically still much safer compared to privileged container. However even that non-root-on-the-host user might still cause problems: - If you have assigned additinal permission for that user (e.g. If uid 1000 on the host is a member of "disk" group, which has write access to block devices), the user can wreak havoc using that additional permission - If that user has created several containers, the "escaped" user can compromise other containers belong to that user So short version: - much safer than privileged container - can potentially still cause problems as that uid - use different id_map (with uids not used on the host) for each container if you want maximum security -- Fajar ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Is an unprivileged LXC where the host user itself is mapped to 0 less secure of one where one of its subids is mapped to 0, and why?
On 09/30/2015 08:38 PM, Serge Hallyn wrote: On a more practical level what could be the security implications? Are there host resources that a malicious program could compromise when running in a container with the capabilities of a regular host user mapped in there? Even because of (hypothetical) system issues / bugs / vulnerabilities. Can someone think of actual examples? yes. Could you expand on that? What could happen for example? I'm no security expert but I'm interested in understanding the implications. Thanks, -- Fabio ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Is an unprivileged LXC where the host user itself is mapped to 0 less secure of one where one of its subids is mapped to 0, and why?
Quoting Fabio Tudone (fa...@paralleluniverse.co) (fa...@paralleluniverse.co): > I really meant unprivileged containers created for example by the > download template. > > Usually subuids have an empty set of capabilities on the host, which > means that even if they were accessing host resources they wouldn't > be able to do much, so they are effectively "jailed". On the other > hand if a regular host's user is mapped into the container it would > theoretically be able to access host resources with the same > capabilities granted to the host's user, isn't it? No. So long as the container has an lxc.id_map entry, it will run in a private user namespace, and will have no capabilities with respect to the host. It will have full caps wrt any uids mapped into the container, and any resources created by the container. > On a more practical level what could be the security implications? > Are there host resources that a malicious program could compromise > when running in a container with the capabilities of a regular host > user mapped in there? Even because of (hypothetical) system issues / > bugs / vulnerabilities. Can someone think of actual examples? yes. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Is an unprivileged LXC where the host user itself is mapped to 0 less secure of one where one of its subids is mapped to 0, and why?
I really meant unprivileged containers created for example by the download template. Usually subuids have an empty set of capabilities on the host, which means that even if they were accessing host resources they wouldn't be able to do much, so they are effectively "jailed". On the other hand if a regular host's user is mapped into the container it would theoretically be able to access host resources with the same capabilities granted to the host's user, isn't it? On a more practical level what could be the security implications? Are there host resources that a malicious program could compromise when running in a container with the capabilities of a regular host user mapped in there? Even because of (hypothetical) system issues / bugs / vulnerabilities. Can someone think of actual examples? Thanks. -- Fabio On 09/30/2015 07:10 PM, Serge Hallyn wrote: Quoting Fabio Tudone (fa...@paralleluniverse.co) (fa...@paralleluniverse.co): Hi, instead of creating "regular" LXC unprivileged containers where all the users are mapped to (unprivileged) subuid/gid of my host user, I'm considering a mapping where my host user itself will be mapped to user 0 (root). They'd be very slim single-app containers. The reason is that in this way I don't need the rootfs directory subtree, which resides in my user's home, to be namespace-|chmod|to a different user and I can delete it with a plain|rm|instead of a namespace one. Is this kind of LXC less secure than the "regular" one, and why is it? What could happen in the worst case? Don't know what you mean by the regular lxc. Root in your container will have full rights to your user-owned files on the host, but that's it. That is no different than if you map your host uid into the container to any other id (since root in the container will have privilege over your host-uid-owned files in that case). So in general I recommend against mapping your host user into the container, but it has its uses (and i do it in one container). ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Is an unprivileged LXC where the host user itself is mapped to 0 less secure of one where one of its subids is mapped to 0, and why?
Quoting Fabio Tudone (fa...@paralleluniverse.co) (fa...@paralleluniverse.co): > Hi, > > instead of creating "regular" LXC unprivileged containers where all > the users are mapped to (unprivileged) subuid/gid of my host user, > I'm considering a mapping where my host user itself will be mapped > to user 0 (root). They'd be very slim single-app containers. > > The reason is that in this way I don't need the rootfs directory > subtree, which resides in my user's home, to be namespace-|chmod|to > a different user and I can delete it with a plain|rm|instead of a > namespace one. > > Is this kind of LXC less secure than the "regular" one, and why is > it? What could happen in the worst case? Don't know what you mean by the regular lxc. Root in your container will have full rights to your user-owned files on the host, but that's it. That is no different than if you map your host uid into the container to any other id (since root in the container will have privilege over your host-uid-owned files in that case). So in general I recommend against mapping your host user into the container, but it has its uses (and i do it in one container). ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] Is an unprivileged LXC where the host user itself is mapped to 0 less secure of one where one of its subids is mapped to 0, and why?
Hi, instead of creating "regular" LXC unprivileged containers where all the users are mapped to (unprivileged) subuid/gid of my host user, I'm considering a mapping where my host user itself will be mapped to user 0 (root). They'd be very slim single-app containers. The reason is that in this way I don't need the rootfs directory subtree, which resides in my user's home, to be namespace-|chmod|to a different user and I can delete it with a plain|rm|instead of a namespace one. Is this kind of LXC less secure than the "regular" one, and why is it? What could happen in the worst case? Thanks, -- Fabio ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
