Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?
I think that is correct. Except that it's not the host on which you run 'lxc' which matters, but the one running the lxd daemons. But yes, afaik you can create a container which mounts /dev/sda as a disk device and do what you like. Quoting david.an...@bli.uzh.ch (david.an...@bli.uzh.ch): > Since LXD is starting the unprivileged containers as root, does that mean > that from a security point of view there is no difference between running the > 'lxc' commands from a user which is member of the 'sudo' group and a user > which is not? > For plain LXC I've understood that it is more secure to run as a user which > is not member of the 'sudo' group. That doesn't seem to be the case to LXD > anymore. Is that correct? > > > -"lxc-users"wrote: - > To: LXC users mailing-list > From: Serge Hallyn > Sent by: "lxc-users" > Date: 01/11/2016 23:36 > Subject: Re: [lxc-users] is starting unprivileged containers as root as > secure as running them as any other user? > > Quoting Carlos Alberto Lopez Perez (clo...@igalia.com): > > On 11/01/16 23:13, Serge Hallyn wrote: > > > Quoting david.an...@bli.uzh.ch (david.an...@bli.uzh.ch): > > >> Hmm, this is interesting. > > >> I am runnung my container from the unprivileged user 'lxduser' and yet: > > >> > > >> root@qumind:~# ps -ef | grep '[l]xc monitor' > > >> root 7609 1 0 11:54 ? 00:00:00 [lxc monitor] > > >> /var/lib/lxd/containers pgroonga > > >> > > >> What is wrong here? > > > > > > You're using lxd. Lxd runs as root. You are not starting the > > > containers as 'lxduser' - you are making requests as 'lxduser' for > > > the root-owned process 'lxd' to start the containers. > > > > I understood that LXD uses unprivileged containers by default... > > > > Does this mean that LXD is starting the unprivileged containers as root? > > yes. It does many things which an unprivileged user cannot do, so it has > to run as root. > > The lxc-attach weakness I mentioned does not apply to 'lxc exec', because > lxd interposes a pty between your console and the container's. > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?
On 11/01/16 23:36, Serge Hallyn wrote: > The lxc-attach weakness I mentioned does not apply to 'lxc exec', because > lxd interposes a pty between your console and the container's. I understand that I could do the same (get a fresh PTY before attaching) with (for example): "screen lxc-attach ..." [1] Do you think it will be a good idea to patch lxc-attach to automatically do that (get a fresh PTY before attaching) ? Will this solve all know security issues regarding the usage of lxc-attach ? Or there is something more than I'm missing other than the PTY vulnerability? Regards. [1] https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html signature.asc Description: OpenPGP digital signature ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?
I noticed that lxc-attach does not run source /etc/profile and that is an issue since we set many environment variables and settings that are needed for what comes next. Is there a workaround? On Wed, Jan 13, 2016 at 4:49 PM, Serge Hallynwrote: > Quoting Carlos Alberto Lopez Perez (clo...@igalia.com): > > On 11/01/16 23:36, Serge Hallyn wrote: > > > The lxc-attach weakness I mentioned does not apply to 'lxc exec', > because > > > lxd interposes a pty between your console and the container's. > > > > I understand that I could do the same (get a fresh PTY before attaching) > with > > (for example): "screen lxc-attach ..." [1] > > > > Do you think it will be a good idea to patch lxc-attach to automatically > do > > that (get a fresh PTY before attaching) ? > > Yes, I'd really like someone to do that. It's on my list, > but that list is pretty long. > > > Will this solve all know security issues regarding the usage of > lxc-attach ? > > I think so. > > > Or there is something more than I'm missing other than the PTY > vulnerability? > > > > > > Regards. > > > > [1] https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html > > > > > > > ___ > > lxc-users mailing list > > lxc-users@lists.linuxcontainers.org > > http://lists.linuxcontainers.org/listinfo/lxc-users > > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users > ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?
Quoting Carlos Alberto Lopez Perez (clo...@igalia.com): > On 11/01/16 23:36, Serge Hallyn wrote: > > The lxc-attach weakness I mentioned does not apply to 'lxc exec', because > > lxd interposes a pty between your console and the container's. > > I understand that I could do the same (get a fresh PTY before attaching) with > (for example): "screen lxc-attach ..." [1] > > Do you think it will be a good idea to patch lxc-attach to automatically do > that (get a fresh PTY before attaching) ? Yes, I'd really like someone to do that. It's on my list, but that list is pretty long. > Will this solve all know security issues regarding the usage of lxc-attach ? I think so. > Or there is something more than I'm missing other than the PTY vulnerability? > > > Regards. > > [1] https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html > > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?
Greetings, Saint Michael! > I noticed that lxc-attach does not run > source /etc/profile > and that is an issue since we set many environment variables and settings > that are needed for what comes next. > Is there a workaround? lxc-attach -n container -- sudo -i -- With best regards, Andrey Repin Thursday, January 14, 2016 06:55:42 Sorry for my terrible english... ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?
Quoting david.an...@bli.uzh.ch (david.an...@bli.uzh.ch): > So if I understood correctly, this means that lxd could potentially suffer > from a weakness in 'lxc monitor' meaning that it is more secure to run > unprivileged containers using the low level lxc-... functions? I mentioned the lxc-monitor case for completeness, but as there should be no sockets etc from the monitor avaiable to the container, it'll be a very interesting case if/when such a vuln is found. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?
On 11/01/16 23:13, Serge Hallyn wrote: > Quoting david.an...@bli.uzh.ch (david.an...@bli.uzh.ch): >> Hmm, this is interesting. >> I am runnung my container from the unprivileged user 'lxduser' and yet: >> >> root@qumind:~# ps -ef | grep '[l]xc monitor' >> root 7609 1 0 11:54 ?00:00:00 [lxc monitor] >> /var/lib/lxd/containers pgroonga >> >> What is wrong here? > > You're using lxd. Lxd runs as root. You are not starting the > containers as 'lxduser' - you are making requests as 'lxduser' for > the root-owned process 'lxd' to start the containers. I understood that LXD uses unprivileged containers by default... Does this mean that LXD is starting the unprivileged containers as root? signature.asc Description: OpenPGP digital signature ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?
Quoting david.an...@bli.uzh.ch (david.an...@bli.uzh.ch): > Hmm, this is interesting. > I am runnung my container from the unprivileged user 'lxduser' and yet: > > root@qumind:~# ps -ef | grep '[l]xc monitor' > root 7609 1 0 11:54 ? 00:00:00 [lxc monitor] > /var/lib/lxd/containers pgroonga > > What is wrong here? You're using lxd. Lxd runs as root. You are not starting the containers as 'lxduser' - you are making requests as 'lxduser' for the root-owned process 'lxd' to start the containers. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?
Quoting Carlos Alberto Lopez Perez (clo...@igalia.com): > On 11/01/16 23:13, Serge Hallyn wrote: > > Quoting david.an...@bli.uzh.ch (david.an...@bli.uzh.ch): > >> Hmm, this is interesting. > >> I am runnung my container from the unprivileged user 'lxduser' and yet: > >> > >> root@qumind:~# ps -ef | grep '[l]xc monitor' > >> root 7609 1 0 11:54 ?00:00:00 [lxc monitor] > >> /var/lib/lxd/containers pgroonga > >> > >> What is wrong here? > > > > You're using lxd. Lxd runs as root. You are not starting the > > containers as 'lxduser' - you are making requests as 'lxduser' for > > the root-owned process 'lxd' to start the containers. > > I understood that LXD uses unprivileged containers by default... > > Does this mean that LXD is starting the unprivileged containers as root? yes. It does many things which an unprivileged user cannot do, so it has to run as root. The lxc-attach weakness I mentioned does not apply to 'lxc exec', because lxd interposes a pty between your console and the container's. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?
So if I understood correctly, this means that lxd could potentially suffer from a weakness in 'lxc monitor' meaning that it is more secure to run unprivileged containers using the low level lxc-... functions? -"lxc-users"wrote: - To: LXC users mailing-list From: Serge Hallyn Sent by: "lxc-users" Date: 01/11/2016 23:36 Subject: Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user? Quoting Carlos Alberto Lopez Perez (clo...@igalia.com): > On 11/01/16 23:13, Serge Hallyn wrote: > > Quoting david.an...@bli.uzh.ch (david.an...@bli.uzh.ch): > >> Hmm, this is interesting. > >> I am runnung my container from the unprivileged user 'lxduser' and yet: > >> > >> root@qumind:~# ps -ef | grep '[l]xc monitor' > >> root 7609 1 0 11:54 ? 00:00:00 [lxc monitor] > >> /var/lib/lxd/containers pgroonga > >> > >> What is wrong here? > > > > You're using lxd. Lxd runs as root. You are not starting the > > containers as 'lxduser' - you are making requests as 'lxduser' for > > the root-owned process 'lxd' to start the containers. > > I understood that LXD uses unprivileged containers by default... > > Does this mean that LXD is starting the unprivileged containers as root? yes. It does many things which an unprivileged user cannot do, so it has to run as root. The lxc-attach weakness I mentioned does not apply to 'lxc exec', because lxd interposes a pty between your console and the container's. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?
On 08/01/16 19:58, Serge Hallyn wrote: > Quoting Carlos Alberto Lopez Perez (clo...@igalia.com): >> Hi, >> >> >> Suppose that we create an unprivileged container as root (using the >> download template or manually converting it with uidmapshift). >> >> Such container config will contain (for example) the following maps: >> >> lxc.id_map = u 0 10 65536 >> lxc.id_map = g 0 10 65536 >> >> And root would be also allowed to use them: >> >> $ usermod --add-subuids 10-165536 root >> $ usermod --add-subgids 10-165536 root >> >> >> My question is >> >> From a security point of view, does creating and starting an >> unprivileged container as root make any difference than doing it as any >> other user of the host? > > Yes. > > For example, if you'll then be running lxc-attach as root instead of as > an unpriv user, then any attacks from inside the container against lxc-attach > will attack the root user. > Is this the only difference from a security point of view? Suppose that I don't use lxc-attach, but lxc-console or login via ssh. signature.asc Description: OpenPGP digital signature ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?
Quoting Carlos Alberto Lopez Perez (clo...@igalia.com): > On 08/01/16 19:58, Serge Hallyn wrote: > > Quoting Carlos Alberto Lopez Perez (clo...@igalia.com): > >> Hi, > >> > >> > >> Suppose that we create an unprivileged container as root (using the > >> download template or manually converting it with uidmapshift). > >> > >> Such container config will contain (for example) the following maps: > >> > >> lxc.id_map = u 0 10 65536 > >> lxc.id_map = g 0 10 65536 > >> > >> And root would be also allowed to use them: > >> > >> $ usermod --add-subuids 10-165536 root > >> $ usermod --add-subgids 10-165536 root > >> > >> > >> My question is > >> > >> From a security point of view, does creating and starting an > >> unprivileged container as root make any difference than doing it as any > >> other user of the host? > > > > Yes. > > > > For example, if you'll then be running lxc-attach as root instead of as > > an unpriv user, then any attacks from inside the container against > > lxc-attach > > will attack the root user. > > > > Is this the only difference from a security point of view? > Suppose that I don't use lxc-attach, but lxc-console or login via ssh. The monitor (look for "[lxc monitor]" in process listing) runs with your uid. So if there were a way for the container to make the lxc monitor execute code, it would be privilege escalation. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?
Hmm, this is interesting. I am runnung my container from the unprivileged user 'lxduser' and yet: root@qumind:~# ps -ef | grep '[l]xc monitor' root 7609 1 0 11:54 ? 00:00:00 [lxc monitor] /var/lib/lxd/containers pgroonga What is wrong here? -"lxc-users"wrote: - To: LXC users mailing-list From: Serge Hallyn Sent by: "lxc-users" Date: 01/11/2016 19:00 Subject: Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user? Quoting Carlos Alberto Lopez Perez (clo...@igalia.com): > On 08/01/16 19:58, Serge Hallyn wrote: > > Quoting Carlos Alberto Lopez Perez (clo...@igalia.com): > >> Hi, > >> > >> > >> Suppose that we create an unprivileged container as root (using the > >> download template or manually converting it with uidmapshift). > >> > >> Such container config will contain (for example) the following maps: > >> > >> lxc.id_map = u 0 10 65536 > >> lxc.id_map = g 0 10 65536 > >> > >> And root would be also allowed to use them: > >> > >> $ usermod --add-subuids 10-165536 root > >> $ usermod --add-subgids 10-165536 root > >> > >> > >> My question is > >> > >> From a security point of view, does creating and starting an > >> unprivileged container as root make any difference than doing it as any > >> other user of the host? > > > > Yes. > > > > For example, if you'll then be running lxc-attach as root instead of as > > an unpriv user, then any attacks from inside the container against > > lxc-attach > > will attack the root user. > > > > Is this the only difference from a security point of view? > Suppose that I don't use lxc-attach, but lxc-console or login via ssh. The monitor (look for "[lxc monitor]" in process listing) runs with your uid. So if there were a way for the container to make the lxc monitor execute code, it would be privilege escalation. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?
Quoting Carlos Alberto Lopez Perez (clo...@igalia.com): > Hi, > > > Suppose that we create an unprivileged container as root (using the > download template or manually converting it with uidmapshift). > > Such container config will contain (for example) the following maps: > > lxc.id_map = u 0 10 65536 > lxc.id_map = g 0 10 65536 > > And root would be also allowed to use them: > > $ usermod --add-subuids 10-165536 root > $ usermod --add-subgids 10-165536 root > > > My question is > > From a security point of view, does creating and starting an > unprivileged container as root make any difference than doing it as any > other user of the host? Yes. For example, if you'll then be running lxc-attach as root instead of as an unpriv user, then any attacks from inside the container against lxc-attach will attack the root user. > My understanding is that once the unprivileged container is running, > root inside such container won't be able to get a host_uid < 10 (in > this example) so starting the unprivileged container as root will be as > secure as starting the container as any other user that is allowed to do > so via the subuid/subgid maps. Is this right? > > Thanks. > > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] is starting unprivileged containers as root as secure as running them as any other user?
Hi, Suppose that we create an unprivileged container as root (using the download template or manually converting it with uidmapshift). Such container config will contain (for example) the following maps: lxc.id_map = u 0 10 65536 lxc.id_map = g 0 10 65536 And root would be also allowed to use them: $ usermod --add-subuids 10-165536 root $ usermod --add-subgids 10-165536 root My question is From a security point of view, does creating and starting an unprivileged container as root make any difference than doing it as any other user of the host? My understanding is that once the unprivileged container is running, root inside such container won't be able to get a host_uid < 10 (in this example) so starting the unprivileged container as root will be as secure as starting the container as any other user that is allowed to do so via the subuid/subgid maps. Is this right? Thanks. signature.asc Description: OpenPGP digital signature ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users