subject:"\[lxc\-users\] is starting unprivileged containers as root as secure as running them as any other user\?"

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

2016-01-26 Thread Serge Hallyn

I think that is correct.  Except that it's not the host on which you
run 'lxc' which matters, but the one running the lxd daemons.  But
yes, afaik you can create a container which mounts /dev/sda as a disk
device and do what you like.

Quoting david.an...@bli.uzh.ch (david.an...@bli.uzh.ch):
>  Since LXD is starting the unprivileged containers as root, does that mean 
> that from a security point of view there is no difference between running the 
> 'lxc' commands from a user which is member of the 'sudo' group and a user 
> which is not?
> For plain LXC I've understood that it is more secure to run as a user which 
> is not member of the 'sudo' group. That doesn't seem to be the case to LXD 
> anymore. Is that correct?
> 
> 
> -"lxc-users"  wrote: -
> To: LXC users mailing-list 
> From: Serge Hallyn 
> Sent by: "lxc-users" 
> Date: 01/11/2016 23:36
> Subject: Re: [lxc-users] is starting unprivileged containers as root as 
> secure as running them as any other user?
> 
> Quoting Carlos Alberto Lopez Perez (clo...@igalia.com):
> > On 11/01/16 23:13, Serge Hallyn wrote:
> > > Quoting david.an...@bli.uzh.ch (david.an...@bli.uzh.ch):
> > >>  Hmm, this is interesting.
> > >> I am runnung my container from the unprivileged user 'lxduser' and yet:
> > >>
> > >> root@qumind:~# ps -ef | grep '[l]xc monitor'
> > >> root      7609     1  0 11:54 ?        00:00:00 [lxc monitor] 
> > >> /var/lib/lxd/containers pgroonga
> > >>
> > >> What is wrong here?
> > > 
> > > You're using lxd.  Lxd runs as root.  You are not starting the
> > > containers as 'lxduser' - you are making requests as 'lxduser' for
> > > the root-owned process 'lxd' to start the containers.
> > 
> > I understood that LXD uses unprivileged containers by default...
> > 
> > Does this mean that LXD is starting the unprivileged containers as root?
> 
> yes.  It does many things which an unprivileged user cannot do, so it has
> to run as root.
> 
> The lxc-attach weakness I mentioned does not apply to 'lxc exec', because
> lxd interposes a pty between your console and the container's.
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

2016-01-13 Thread Carlos Alberto Lopez Perez

On 11/01/16 23:36, Serge Hallyn wrote:
> The lxc-attach weakness I mentioned does not apply to 'lxc exec', because
> lxd interposes a pty between your console and the container's.

I understand that I could do the same (get a fresh PTY before attaching) with
(for example): "screen lxc-attach ..." [1]

Do you think it will be a good idea to patch lxc-attach to automatically do
that (get a fresh PTY before attaching) ?

Will this solve all know security issues regarding the usage of lxc-attach ?
Or there is something more than I'm missing other than the PTY vulnerability?

Regards.

[1] https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html

signature.asc
Description: OpenPGP digital signature
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

2016-01-13 Thread Saint Michael

I noticed that lxc-attach does not run
source /etc/profile
and that is an issue since we set many environment variables and settings
that are needed for what comes next.
Is there a workaround?

On Wed, Jan 13, 2016 at 4:49 PM, Serge Hallyn 
wrote:

> Quoting Carlos Alberto Lopez Perez (clo...@igalia.com):
> > On 11/01/16 23:36, Serge Hallyn wrote:
> > > The lxc-attach weakness I mentioned does not apply to 'lxc exec',
> because
> > > lxd interposes a pty between your console and the container's.
> >
> > I understand that I could do the same (get a fresh PTY before attaching)
> with
> > (for example): "screen lxc-attach ..." [1]
> >
> > Do you think it will be a good idea to patch lxc-attach to automatically
> do
> > that (get a fresh PTY before attaching) ?
>
> Yes, I'd really like someone to do that.  It's on my list,
> but that list is pretty long.
>
> > Will this solve all know security issues regarding the usage of
> lxc-attach ?
>
> I think so.
>
> > Or there is something more than I'm missing other than the PTY
> vulnerability?
> >
> >
> > Regards.
> >
> > [1] https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html
> >
>
>
>
> > ___
> > lxc-users mailing list
> > lxc-users@lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
>
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

2016-01-13 Thread Serge Hallyn

Quoting Carlos Alberto Lopez Perez (clo...@igalia.com):
> On 11/01/16 23:36, Serge Hallyn wrote:
> > The lxc-attach weakness I mentioned does not apply to 'lxc exec', because
> > lxd interposes a pty between your console and the container's.
> 
> I understand that I could do the same (get a fresh PTY before attaching) with
> (for example): "screen lxc-attach ..." [1]
> 
> Do you think it will be a good idea to patch lxc-attach to automatically do
> that (get a fresh PTY before attaching) ?

Yes, I'd really like someone to do that.  It's on my list,
but that list is pretty long.

> Will this solve all know security issues regarding the usage of lxc-attach ?

I think so.

> Or there is something more than I'm missing other than the PTY vulnerability?
> 
> 
> Regards.
> 
> [1] https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html
> 



> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

2016-01-13 Thread Andrey Repin

Greetings, Saint Michael!

> I noticed that lxc-attach does not run

> source /etc/profile

> and that is an issue since we set many environment variables and settings 
> that are needed for what comes next.

> Is there a workaround?

lxc-attach -n container -- sudo -i


-- 
With best regards,
Andrey Repin
Thursday, January 14, 2016 06:55:42

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

2016-01-12 Thread Serge Hallyn

Quoting david.an...@bli.uzh.ch (david.an...@bli.uzh.ch):
> So  if I understood correctly, this means that lxd could potentially suffer 
> from a weakness in 'lxc monitor' meaning that it is more secure to run 
> unprivileged containers using the low level lxc-... functions?

I mentioned the lxc-monitor case for completeness, but as there should be no
sockets etc from the monitor avaiable to the container, it'll be a very
interesting case if/when such a vuln is found.
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

2016-01-11 Thread Carlos Alberto Lopez Perez

On 11/01/16 23:13, Serge Hallyn wrote:
> Quoting david.an...@bli.uzh.ch (david.an...@bli.uzh.ch):
>>  Hmm, this is interesting.
>> I am runnung my container from the unprivileged user 'lxduser' and yet:
>>
>> root@qumind:~# ps -ef | grep '[l]xc monitor'
>> root  7609 1  0 11:54 ?00:00:00 [lxc monitor] 
>> /var/lib/lxd/containers pgroonga
>>
>> What is wrong here?
> 
> You're using lxd.  Lxd runs as root.  You are not starting the
> containers as 'lxduser' - you are making requests as 'lxduser' for
> the root-owned process 'lxd' to start the containers.

I understood that LXD uses unprivileged containers by default...

Does this mean that LXD is starting the unprivileged containers as root?



signature.asc
Description: OpenPGP digital signature
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

2016-01-11 Thread Serge Hallyn

Quoting david.an...@bli.uzh.ch (david.an...@bli.uzh.ch):
>  Hmm, this is interesting.
> I am runnung my container from the unprivileged user 'lxduser' and yet:
> 
> root@qumind:~# ps -ef | grep '[l]xc monitor'
> root  7609 1  0 11:54 ?    00:00:00 [lxc monitor] 
> /var/lib/lxd/containers pgroonga
> 
> What is wrong here?

You're using lxd.  Lxd runs as root.  You are not starting the
containers as 'lxduser' - you are making requests as 'lxduser' for
the root-owned process 'lxd' to start the containers.
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

2016-01-11 Thread Serge Hallyn

Quoting Carlos Alberto Lopez Perez (clo...@igalia.com):
> On 11/01/16 23:13, Serge Hallyn wrote:
> > Quoting david.an...@bli.uzh.ch (david.an...@bli.uzh.ch):
> >>  Hmm, this is interesting.
> >> I am runnung my container from the unprivileged user 'lxduser' and yet:
> >>
> >> root@qumind:~# ps -ef | grep '[l]xc monitor'
> >> root  7609 1  0 11:54 ?00:00:00 [lxc monitor] 
> >> /var/lib/lxd/containers pgroonga
> >>
> >> What is wrong here?
> > 
> > You're using lxd.  Lxd runs as root.  You are not starting the
> > containers as 'lxduser' - you are making requests as 'lxduser' for
> > the root-owned process 'lxd' to start the containers.
> 
> I understood that LXD uses unprivileged containers by default...
> 
> Does this mean that LXD is starting the unprivileged containers as root?

yes.  It does many things which an unprivileged user cannot do, so it has
to run as root.

The lxc-attach weakness I mentioned does not apply to 'lxc exec', because
lxd interposes a pty between your console and the container's.
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

2016-01-11 Thread david . andel

So  if I understood correctly, this means that lxd could potentially suffer 
from a weakness in 'lxc monitor' meaning that it is more secure to run 
unprivileged containers using the low level lxc-... functions?

-"lxc-users"  wrote: -
To: LXC users mailing-list 
From: Serge Hallyn 
Sent by: "lxc-users" 
Date: 01/11/2016 23:36
Subject: Re: [lxc-users] is starting unprivileged containers as root as secure 
as running them as any other user?

Quoting Carlos Alberto Lopez Perez (clo...@igalia.com):
> On 11/01/16 23:13, Serge Hallyn wrote:
> > Quoting david.an...@bli.uzh.ch (david.an...@bli.uzh.ch):
> >>  Hmm, this is interesting.
> >> I am runnung my container from the unprivileged user 'lxduser' and yet:
> >>
> >> root@qumind:~# ps -ef | grep '[l]xc monitor'
> >> root      7609     1  0 11:54 ?        00:00:00 [lxc monitor] 
> >> /var/lib/lxd/containers pgroonga
> >>
> >> What is wrong here?
> > 
> > You're using lxd.  Lxd runs as root.  You are not starting the
> > containers as 'lxduser' - you are making requests as 'lxduser' for
> > the root-owned process 'lxd' to start the containers.
> 
> I understood that LXD uses unprivileged containers by default...
> 
> Does this mean that LXD is starting the unprivileged containers as root?

yes.  It does many things which an unprivileged user cannot do, so it has
to run as root.

The lxc-attach weakness I mentioned does not apply to 'lxc exec', because
lxd interposes a pty between your console and the container's.
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

2016-01-11 Thread Carlos Alberto Lopez Perez

On 08/01/16 19:58, Serge Hallyn wrote:
> Quoting Carlos Alberto Lopez Perez (clo...@igalia.com):
>> Hi,
>>
>>
>> Suppose that we create an unprivileged container as root (using the
>> download template or manually converting it with uidmapshift).
>>
>> Such container config will contain (for example) the following maps:
>>
>> lxc.id_map = u 0 10 65536
>> lxc.id_map = g 0 10 65536
>>
>> And root would be also allowed to use them:
>>
>> $ usermod --add-subuids 10-165536 root
>> $ usermod --add-subgids 10-165536 root
>>
>>
>> My question is
>>
>> From a security point of view, does creating and starting an
>> unprivileged container as root make any difference than doing it as any
>> other user of the host?
> 
> Yes.
> 
> For example, if you'll then be running lxc-attach as root instead of as
> an unpriv user, then any attacks from inside the container against lxc-attach
> will attack the root user.
> 

Is this the only difference from a security point of view?
Suppose that I don't use lxc-attach, but lxc-console or login via ssh.




signature.asc
Description: OpenPGP digital signature
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

2016-01-11 Thread Serge Hallyn

Quoting Carlos Alberto Lopez Perez (clo...@igalia.com):
> On 08/01/16 19:58, Serge Hallyn wrote:
> > Quoting Carlos Alberto Lopez Perez (clo...@igalia.com):
> >> Hi,
> >>
> >>
> >> Suppose that we create an unprivileged container as root (using the
> >> download template or manually converting it with uidmapshift).
> >>
> >> Such container config will contain (for example) the following maps:
> >>
> >> lxc.id_map = u 0 10 65536
> >> lxc.id_map = g 0 10 65536
> >>
> >> And root would be also allowed to use them:
> >>
> >> $ usermod --add-subuids 10-165536 root
> >> $ usermod --add-subgids 10-165536 root
> >>
> >>
> >> My question is
> >>
> >> From a security point of view, does creating and starting an
> >> unprivileged container as root make any difference than doing it as any
> >> other user of the host?
> > 
> > Yes.
> > 
> > For example, if you'll then be running lxc-attach as root instead of as
> > an unpriv user, then any attacks from inside the container against 
> > lxc-attach
> > will attack the root user.
> > 
> 
> Is this the only difference from a security point of view?
> Suppose that I don't use lxc-attach, but lxc-console or login via ssh.

The monitor (look for "[lxc monitor]" in process listing) runs with your
uid.  So if there were a way for the container to make the lxc monitor
execute code, it would be privilege escalation.
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

2016-01-11 Thread david . andel

 Hmm, this is interesting.
I am runnung my container from the unprivileged user 'lxduser' and yet:

root@qumind:~# ps -ef | grep '[l]xc monitor'
root  7609 1  0 11:54 ?    00:00:00 [lxc monitor] 
/var/lib/lxd/containers pgroonga

What is wrong here?


-"lxc-users"  wrote: -
To: LXC users mailing-list 
From: Serge Hallyn 
Sent by: "lxc-users" 
Date: 01/11/2016 19:00
Subject: Re: [lxc-users] is starting unprivileged containers as root as secure 
as running them as any other user?

Quoting Carlos Alberto Lopez Perez (clo...@igalia.com):
> On 08/01/16 19:58, Serge Hallyn wrote:
> > Quoting Carlos Alberto Lopez Perez (clo...@igalia.com):
> >> Hi,
> >>
> >>
> >> Suppose that we create an unprivileged container as root (using the
> >> download template or manually converting it with uidmapshift).
> >>
> >> Such container config will contain (for example) the following maps:
> >>
> >> lxc.id_map = u 0 10 65536
> >> lxc.id_map = g 0 10 65536
> >>
> >> And root would be also allowed to use them:
> >>
> >> $ usermod --add-subuids 10-165536 root
> >> $ usermod --add-subgids 10-165536 root
> >>
> >>
> >> My question is
> >>
> >> From a security point of view, does creating and starting an
> >> unprivileged container as root make any difference than doing it as any
> >> other user of the host?
> > 
> > Yes.
> > 
> > For example, if you'll then be running lxc-attach as root instead of as
> > an unpriv user, then any attacks from inside the container against 
> > lxc-attach
> > will attack the root user.
> > 
> 
> Is this the only difference from a security point of view?
> Suppose that I don't use lxc-attach, but lxc-console or login via ssh.

The monitor (look for "[lxc monitor]" in process listing) runs with your
uid.  So if there were a way for the container to make the lxc monitor
execute code, it would be privilege escalation.
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

2016-01-08 Thread Serge Hallyn

Quoting Carlos Alberto Lopez Perez (clo...@igalia.com):
> Hi,
> 
> 
> Suppose that we create an unprivileged container as root (using the
> download template or manually converting it with uidmapshift).
> 
> Such container config will contain (for example) the following maps:
> 
> lxc.id_map = u 0 10 65536
> lxc.id_map = g 0 10 65536
> 
> And root would be also allowed to use them:
> 
> $ usermod --add-subuids 10-165536 root
> $ usermod --add-subgids 10-165536 root
> 
> 
> My question is
> 
> From a security point of view, does creating and starting an
> unprivileged container as root make any difference than doing it as any
> other user of the host?

Yes.

For example, if you'll then be running lxc-attach as root instead of as
an unpriv user, then any attacks from inside the container against lxc-attach
will attack the root user.

> My understanding is that once the unprivileged container is running,
> root inside such container won't be able to get a host_uid < 10 (in
> this example) so starting the unprivileged container as root will be as
> secure as starting the container as any other user that is allowed to do
> so via the subuid/subgid maps. Is this right?
> 
> Thanks.
> 



> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

2016-01-08 Thread Carlos Alberto Lopez Perez

Hi,


Suppose that we create an unprivileged container as root (using the
download template or manually converting it with uidmapshift).

Such container config will contain (for example) the following maps:

lxc.id_map = u 0 10 65536
lxc.id_map = g 0 10 65536

And root would be also allowed to use them:

$ usermod --add-subuids 10-165536 root
$ usermod --add-subgids 10-165536 root


My question is

From a security point of view, does creating and starting an
unprivileged container as root make any difference than doing it as any
other user of the host?

My understanding is that once the unprivileged container is running,
root inside such container won't be able to get a host_uid < 10 (in
this example) so starting the unprivileged container as root will be as
secure as starting the container as any other user that is allowed to do
so via the subuid/subgid maps. Is this right?

Thanks.



signature.asc
Description: OpenPGP digital signature
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

[lxc-users] is starting unprivileged containers as root as secure as running them as any other user?

15 matches

Site Navigation

Mail list logo

Footer information