Re: docker.io wheezy-backport

To: Sylvain <beuc@beuc.net>
Cc: debian-backports@lists.debian.org
Subject: Re: docker.io wheezy-backport
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 10 Feb 2014 17:24:17 +0000
Message-id: <[🔎] 1392053057.12555.6.camel@deadeye.wl.decadent.org.uk>
In-reply-to: <[🔎] 20140210154121.GB15209@mail.beuc.net>
References: <[🔎] 20140209174158.GA31571@alice.nomadium.lan> <[🔎] 52F8CFD4.9040509@debian.org> <[🔎] 1392044969.25202.113.camel@deadeye.wl.decadent.org.uk> <[🔎] 20140210154121.GB15209@mail.beuc.net>

On Mon, 2014-02-10 at 16:41 +0100, Sylvain wrote:
> On Mon, Feb 10, 2014 at 03:09:29PM +0000, Ben Hutchings wrote:
> > On Mon, 2014-02-10 at 13:10 +0000, Simon McVittie wrote:
> > > On 09/02/14 17:41, Miguel Landaeta wrote:
> > > > During this weekend I was playing with Docker and since I noticed 
> > > > there are no backports for stable right now, I decided to try to 
> > > > backport it.
> > > 
> > > Does it need a newer kernel/LXC than what's in wheezy for it to be secure?
> > > 
> > > <http://blog.bofh.it/debian/id_413> was a couple of years ago, so I
> > > hope that improvements in the kernel mean it's no longer valid... but
> > > I haven't seen anything specifically say that it isn't.
> > > 
> > > Similarly,
> > > <https://wiki.gentoo.org/wiki/LXC#MAJOR_Temporary_Problems_with_LXC_-_READ_THIS>
> > > and <https://wiki.ubuntu.com/UserNamespace> seem relevant, although
> > > they are hopefully just outdated.
> > > 
> > > <http://blog.docker.io/2013/08/containers-docker-how-secure-are-they/>
> > > claims that the warning given in the Gentoo article is not relevant to
> > > Linux 3.8+, but wheezy only has 3.2.
> > > 
> > > Depending on a newer kernel is awkward, unfortunately. Perhaps it'd be
> > > worth discussing this with the Debian kernel maintainers.
> > 
> > I don't know what the kernel requirements are, but since
> > wheezy-backports does get new kernel versions I don't think this would
> > be a problem.
> > 
> > Maye this package should include a run-time check on the kernel version.
> > That's just as true in sid as it is in wheezy-backports.
> 
> Just tried md's exploit on blog.bofh.it with kernel 3.12 (Jessie). Result:
>   host$ cat /tmp/evil-helper.log 
>   hi!
> 
> :'(

Are you sure?  The point is you should not be able to write to
/sys/kernel/uevent_helper while running as root in the container because
that should not be the same as the 'real' root.  Our packages of Linux
3.12 have user namespaces enabled... but I don't know whether Docker
will use them.

Ben.

> From the blog.docker.io article I understand that docker.io expects
> the user to secure the container through other means anyway, such as
> running all the container processes as non-root.

-- 
Ben Hutchings
We get into the habit of living before acquiring the habit of thinking.
                                                              - Albert Camus

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Re: docker.io wheezy-backport
  - From: Sylvain <beuc@beuc.net>

References:
- docker.io wheezy-backport
  - From: Miguel Landaeta <nomadium@debian.org>
- Re: docker.io wheezy-backport
  - From: Simon McVittie <smcv@debian.org>
- Re: docker.io wheezy-backport
  - From: Ben Hutchings <ben@decadent.org.uk>
- Re: docker.io wheezy-backport
  - From: Sylvain <beuc@beuc.net>

Prev by Date: Re: docker.io wheezy-backport
Next by Date: Re: docker.io wheezy-backport
Previous by thread: Re: docker.io wheezy-backport
Next by thread: Re: docker.io wheezy-backport
Index(es):
- Date
- Thread