On Mon, 2014-02-10 at 18:40 +0100, Sylvain wrote:
> On Mon, Feb 10, 2014 at 05:24:17PM +0000, Ben Hutchings wrote:
> > On Mon, 2014-02-10 at 16:41 +0100, Sylvain wrote:
> > > On Mon, Feb 10, 2014 at 03:09:29PM +0000, Ben Hutchings wrote:
> > > > On Mon, 2014-02-10 at 13:10 +0000, Simon McVittie wrote:
> > > > > On 09/02/14 17:41, Miguel Landaeta wrote:
> > > > > > During this weekend I was playing with Docker and since I noticed
> > > > > > there are no backports for stable right now, I decided to try to
> > > > > > backport it.
> > > > >
> > > > > Does it need a newer kernel/LXC than what's in wheezy for it to be secure?
> > > > >
> > > > > <http://blog.bofh.it/debian/id_413> was a couple of years ago, so I
> > > > > hope that improvements in the kernel mean it's no longer valid... but
> > > > > I haven't seen anything specifically say that it isn't.
> > > > >
> > > > > Similarly,
> > > > > <https://wiki.gentoo.org/wiki/LXC#MAJOR_Temporary_Problems_with_LXC_-_READ_THIS>
> > > > > and <https://wiki.ubuntu.com/UserNamespace> seem relevant, although
> > > > > they are hopefully just outdated.
> > > > >
> > > > > <http://blog.docker.io/2013/08/containers-docker-how-secure-are-they/>
> > > > > claims that the warning given in the Gentoo article is not relevant to
> > > > > Linux 3.8+, but wheezy only has 3.2.
> > > > >
> > > > > Depending on a newer kernel is awkward, unfortunately. Perhaps it'd be
> > > > > worth discussing this with the Debian kernel maintainers.
> > > >
> > > > I don't know what the kernel requirements are, but since
> > > > wheezy-backports does get new kernel versions I don't think this would
> > > > be a problem.
> > > >
> > > > Maye this package should include a run-time check on the kernel version.
> > > > That's just as true in sid as it is in wheezy-backports.
> > >
> > > Just tried md's exploit on blog.bofh.it with kernel 3.12 (Jessie). Result:
> > > host$ cat /tmp/evil-helper.log
> > > hi!
> > >
> > > :'(
> >
> > Are you sure? The point is you should not be able to write to
> > /sys/kernel/uevent_helper while running as root in the container because
> > that should not be the same as the 'real' root. Our packages of Linux
> > 3.12 have user namespaces enabled... but I don't know whether Docker
> > will use them.
>
> Well using 'testing' I ran:
> aptitude install lxc
> mount cgroup
> lxc-create -n secu1 -t debian
> lxc-start -n secu1 -d
> lxc-console -n secu1
> then I applied the recipe from md.
>
> So I may have missed something obvious but I'm pretty sure, yes :/
I don't believe LXC creates a user namespace by default. You have to
explicitly configure it. See lxc.conf(5).
Ben.
--
Ben Hutchings
We get into the habit of living before acquiring the habit of thinking.
- Albert Camus
Attachment:
signature.asc
Description: This is a digitally signed message part