Re: [systemd-devel] What makes systemd-nspawn "not suitable for secure container setups"?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 于 2011年04月23日 12:16, Josh Triplett 写道: > On Sat, Apr 23, 2011 at 11:28:58AM +0800, microcai wrote: >> 于 2011年04月23日 10:55, Josh Triplett 写道: >>> The systemd-nspawn manpage lists the various mechanisms used to isolate >>> the container, and then says "Note that even though these security >>> precautions are taken systemd-nspawn is not suitable for secure >>> container setups. Many of the security features may be circumvented and >>> are hence primarily useful to avoid accidental changes to the host >>> system from the container." >>> >>> How can a process in a systemd-nspawn container circumvent the container >> >> remount /proc and /sys > > Ah, good point. So, root inside the container can trivially circumvent > the container that way. Any way to prevent that with current kernel > support, or would fixing this require additional kernel changes to lock > down other /proc and /sys mounts? OpenVZ is what you need that way. OpenVZ is much like systemd-nspawn, but with more secure. So it can be used to provide VPS ;) > > That particular problem only applies if running code within the > container as root. How about if running code as an unprivileged user? > With that addition, does systemd-nspawn provide a secure container > (modulo local privilege escalation vulnerabilities)? > > Thanks, > Josh Triplett -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) iQEcBAEBAgAGBQJNsmPCAAoJEKT4Uz7oTANZ5DEH/1xAJvN0UqGv4JNMTuy/Hl8/ P7+6BkmhbE8wXtQt37z5QQNaDoNKNiTrdkppPWboFCsf4ulZyf02jkJGqN0BJoWg IC9xTWv2dE8RK+r3cnD1Nx0jpHuTq56Bo/W1UGeY+JKKNC/Ox8M81i+7M8xKrOB7 zhNnElNRTnHOHmzqSlcC1ODMnDw69lVpxZ0HusxpTAKLp1ms49PlhnFcXokHsD6/ GwhSNR7zjlimxUvoVbOPXqiIty37LgMn/Sl6+kvzWsngvCyBzpURmo9tp785iijL ZxtX5AIo1rlgFTt8TXphp3477M0P3Nfmg9R1iRJGD19631etr7IJYF4hd+x3Z5A= =meKC -END PGP SIGNATURE- ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] What makes systemd-nspawn "not suitable for secure container setups"?
On Sat, Apr 23, 2011 at 11:28:58AM +0800, microcai wrote: > 于 2011年04月23日 10:55, Josh Triplett 写道: > > The systemd-nspawn manpage lists the various mechanisms used to isolate > > the container, and then says "Note that even though these security > > precautions are taken systemd-nspawn is not suitable for secure > > container setups. Many of the security features may be circumvented and > > are hence primarily useful to avoid accidental changes to the host > > system from the container." > > > > How can a process in a systemd-nspawn container circumvent the container > > remount /proc and /sys Ah, good point. So, root inside the container can trivially circumvent the container that way. Any way to prevent that with current kernel support, or would fixing this require additional kernel changes to lock down other /proc and /sys mounts? That particular problem only applies if running code within the container as root. How about if running code as an unprivileged user? With that addition, does systemd-nspawn provide a secure container (modulo local privilege escalation vulnerabilities)? Thanks, Josh Triplett ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] What makes systemd-nspawn "not suitable for secure container setups"?
于 2011年04月23日 10:55, Josh Triplett 写道: > The systemd-nspawn manpage lists the various mechanisms used to isolate > the container, and then says "Note that even though these security > precautions are taken systemd-nspawn is not suitable for secure > container setups. Many of the security features may be circumvented and > are hence primarily useful to avoid accidental changes to the host > system from the container." > > How can a process in a systemd-nspawn container circumvent the container remount /proc and /sys > setup? What additional steps would systemd-nspawn need to take to > provide a secure container setup? > > - Josh Triplett > ___ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/systemd-devel ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] What makes systemd-nspawn "not suitable for secure container setups"?
The systemd-nspawn manpage lists the various mechanisms used to isolate the container, and then says "Note that even though these security precautions are taken systemd-nspawn is not suitable for secure container setups. Many of the security features may be circumvented and are hence primarily useful to avoid accidental changes to the host system from the container." How can a process in a systemd-nspawn container circumvent the container setup? What additional steps would systemd-nspawn need to take to provide a secure container setup? - Josh Triplett ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH] mount-setup: failure to mount cgroup controllers is not fatal
Even after commit e5a53dc7 "cgroup: be nice to Ingo Molnar" systemd still hangs on boot on a kernel without CONFIG_CGROUPS. mount_setup() must not fail when cgroup controllers cannot be mounted. https://bugzilla.redhat.com/show_bug.cgi?id=628004 --- src/mount-setup.c |4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/src/mount-setup.c b/src/mount-setup.c index db5c253..dcf237b 100644 --- a/src/mount-setup.c +++ b/src/mount-setup.c @@ -258,5 +258,7 @@ int mount_setup(void) { /* Create a few directories we always want around */ mkdir("/run/systemd", 0755); -return mount_cgroup_controllers(); +mount_cgroup_controllers(); + +return 0; } ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] systemctl rescue: Transaction is destructive
Hi, I'm getting the attached output when I enter 'systemctl resuce' from multi-user.target. The error message sounds a bit cryptic, any idea what goes wrong? Once that's printed, I can switch VT-s, but nothing else (can't type etc), that's why I attached a screenshot. Thanks, Miklos <> pgp2LSEmAuzko.pgp Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] How to implement fsck progress report with systemd and plymouth?
Hi all, plymouth in Ubuntu 10.04 supports fsck progress report, and also provides a chance for user to cancel running fsck. How to implement this feature with systemd and plymouth? I did some investigation, found: 1. ubuntu patches on_update() of plymouth/src/main.c, it will filter out status message from fsck, if message starts with "fsck:". 2. ubuntu provides a plymouth theme -- ubuntu-logo, which is of type script, and has some fsck related stuff. I guess we need: 1. Support "detailed status report" in plymouth, e.g. colon separated fields. 2. Hook fsck detailed message to each theme in plymouth ? 3. Emit fsck message to plymouth in systemd-fsck. 4. How to support user-cancellable fsck? Any idea? -- Regards, - cee1 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel