Re: Linux 3.2 in wheezy

To: debian-devel@lists.debian.org
Subject: Re: Linux 3.2 in wheezy
From: Adam Borowski <kilobyte@angband.pl>
Date: Fri, 3 Feb 2012 13:53:26 +0100
Message-id: <[🔎] 20120203125326.GA6622@angband.pl>
In-reply-to: <[🔎] 20120203113103.GA16544@wavehammer.waldi.eu.org>
References: <20120129182205.GR12704@decadent.org.uk> <1327867067.13223.3.camel@hidalgo> <1327872371.5400.375.camel@deadeye> <20120130004459.GA22039@angband.pl> <20120130013115.GB19215@bongo.bofh.it> <[🔎] 20120203113103.GA16544@wavehammer.waldi.eu.org>

On Fri, Feb 03, 2012 at 12:31:03PM +0100, Bastian Blank wrote:
> On Mon, Jan 30, 2012 at 02:31:15AM +0100, Marco d'Itri wrote:
> > On Jan 30, Adam Borowski <kilobyte@angband.pl> wrote:
> > > It would be nice to have some documentation about how lxc is different from
> > > them, and how to work around bugs and limitations.  I for one spent ~10
> > Let's start with this: in its current form, it is not designed to
> > protect the host system from an untrusted root user in a guest.
> > So far lxc is nice for testing, but not much more.
> > http://blog.bofh.it/debian/id_413
> 
> This example shows nothing new. If you have CAP_SYS_MOUNT, you can also
> just mount the root filesystem into your own tree.

That's enough only under lxc (or chroot).  In vserver, you'd also need
SECURE_MOUNT, BINARY_MOUNT ccaps, and the MKNOD bcap.  None of those are
granted by default.

Few uses need mount() to be allowed from the inside, but if you really need
it, you give the first two capabilities but not mknod.

> Linux-VServer does not help against processes with too much capabilities,
> not sure about OpenVZ.

That's the reason for adding new restrictions and fine-grained capabilities,
so you can grant only what is needed and nothing more.

> > > * how to execute a command in a running VM?  lxc-execute complains that the
> > Lack of something like VE_ENTER also makes it unsuitable for me.
> 
> ssh works.

It triples the memory footprint of an empty Debian container (init + syslogd +
cron[1]), and adds a new daemon that can be potentially subverted.

Of course, usually sshd is strongly preferred (so much better than needing
near-full privileges on the host!) but for many uses you don't need to log
in to the guest for non-administrative tasks.

[1]. Yeah, cron is something you could shave away too if you really wanted;
not worth the hassle though.

-- 
// If you believe in so-called "intellectual property", please immediately
// cease using counterfeit alphabets.  Instead, contact the nearest temple
// of Amon, whose priests will provide you with scribal services for all
// your writing needs, for Reasonable and Non-Discriminatory prices.

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Linux 3.2 in wheezy
  - From: Thomas Goirand <zigo@debian.org>

References:
- Re: Linux 3.2 in wheezy
  - From: Bastian Blank <waldi@debian.org>

Prev by Date: Re: Bug#605090: Linux 3.2 in wheezy
Next by Date: Re: Bug#605090: Linux 3.2 in wheezy
Previous by thread: Re: Linux 3.2 in wheezy
Next by thread: Re: Linux 3.2 in wheezy
Index(es):
- Date
- Thread