On Mon, 2014-02-10 at 18:40 +0100, Sylvain wrote: > On Mon, Feb 10, 2014 at 05:24:17PM +0000, Ben Hutchings wrote: > > On Mon, 2014-02-10 at 16:41 +0100, Sylvain wrote: > > > On Mon, Feb 10, 2014 at 03:09:29PM +0000, Ben Hutchings wrote: > > > > On Mon, 2014-02-10 at 13:10 +0000, Simon McVittie wrote: > > > > > On 09/02/14 17:41, Miguel Landaeta wrote: > > > > > > During this weekend I was playing with Docker and since I noticed > > > > > > there are no backports for stable right now, I decided to try to > > > > > > backport it. > > > > > > > > > > Does it need a newer kernel/LXC than what's in wheezy for it to be secure? > > > > > > > > > > <http://blog.bofh.it/debian/id_413> was a couple of years ago, so I > > > > > hope that improvements in the kernel mean it's no longer valid... but > > > > > I haven't seen anything specifically say that it isn't. > > > > > > > > > > Similarly, > > > > > <https://wiki.gentoo.org/wiki/LXC#MAJOR_Temporary_Problems_with_LXC_-_READ_THIS> > > > > > and <https://wiki.ubuntu.com/UserNamespace> seem relevant, although > > > > > they are hopefully just outdated. > > > > > > > > > > <http://blog.docker.io/2013/08/containers-docker-how-secure-are-they/> > > > > > claims that the warning given in the Gentoo article is not relevant to > > > > > Linux 3.8+, but wheezy only has 3.2. > > > > > > > > > > Depending on a newer kernel is awkward, unfortunately. Perhaps it'd be > > > > > worth discussing this with the Debian kernel maintainers. > > > > > > > > I don't know what the kernel requirements are, but since > > > > wheezy-backports does get new kernel versions I don't think this would > > > > be a problem. > > > > > > > > Maye this package should include a run-time check on the kernel version. > > > > That's just as true in sid as it is in wheezy-backports. > > > > > > Just tried md's exploit on blog.bofh.it with kernel 3.12 (Jessie). Result: > > > host$ cat /tmp/evil-helper.log > > > hi! > > > > > > :'( > > > > Are you sure? The point is you should not be able to write to > > /sys/kernel/uevent_helper while running as root in the container because > > that should not be the same as the 'real' root. Our packages of Linux > > 3.12 have user namespaces enabled... but I don't know whether Docker > > will use them. > > Well using 'testing' I ran: > aptitude install lxc > mount cgroup > lxc-create -n secu1 -t debian > lxc-start -n secu1 -d > lxc-console -n secu1 > then I applied the recipe from md. > > So I may have missed something obvious but I'm pretty sure, yes :/ I don't believe LXC creates a user namespace by default. You have to explicitly configure it. See lxc.conf(5). Ben. -- Ben Hutchings We get into the habit of living before acquiring the habit of thinking. - Albert Camus
Attachment:
signature.asc
Description: This is a digitally signed message part