Re: docker.io wheezy-backport
On Mon, Feb 10, 2014 at 03:09:29PM +0000, Ben Hutchings wrote:
> On Mon, 2014-02-10 at 13:10 +0000, Simon McVittie wrote:
> > On 09/02/14 17:41, Miguel Landaeta wrote:
> > > During this weekend I was playing with Docker and since I noticed
> > > there are no backports for stable right now, I decided to try to
> > > backport it.
> >
> > Does it need a newer kernel/LXC than what's in wheezy for it to be secure?
> >
> > <http://blog.bofh.it/debian/id_413> was a couple of years ago, so I
> > hope that improvements in the kernel mean it's no longer valid... but
> > I haven't seen anything specifically say that it isn't.
> >
> > Similarly,
> > <https://wiki.gentoo.org/wiki/LXC#MAJOR_Temporary_Problems_with_LXC_-_READ_THIS>
> > and <https://wiki.ubuntu.com/UserNamespace> seem relevant, although
> > they are hopefully just outdated.
> >
> > <http://blog.docker.io/2013/08/containers-docker-how-secure-are-they/>
> > claims that the warning given in the Gentoo article is not relevant to
> > Linux 3.8+, but wheezy only has 3.2.
> >
> > Depending on a newer kernel is awkward, unfortunately. Perhaps it'd be
> > worth discussing this with the Debian kernel maintainers.
>
> I don't know what the kernel requirements are, but since
> wheezy-backports does get new kernel versions I don't think this would
> be a problem.
>
> Maye this package should include a run-time check on the kernel version.
> That's just as true in sid as it is in wheezy-backports.
Just tried md's exploit on blog.bofh.it with kernel 3.12 (Jessie). Result:
host$ cat /tmp/evil-helper.log
hi!
:'(
>From the blog.docker.io article I understand that docker.io expects
the user to secure the container through other means anyway, such as
running all the container processes as non-root.
--
Sylvain
Reply to: