| 1 |
On Thu, Mar 8, 2018 at 4:00 PM, R0b0t1 <r030t1@×××××.com> wrote: |
| 2 |
> On Thu, Mar 8, 2018 at 11:50 AM, Rich Freeman <rich0@g.o> wrote: |
| 3 |
>> If you have util-linux installed then try running (as any user - you |
| 4 |
>> don't have to be root): |
| 5 |
>> unshare -i -m -n -p -u -C -f --mount-proc -U -r /bin/bash |
| 6 |
>> |
| 7 |
> |
| 8 |
> Interesting. I hadn't found a good interface to containers and |
| 9 |
> clone(2) besides Docker. Of course, I didn't look very hard. I half |
| 10 |
> expect a "new" process model to develop around the kernel namespaces, |
| 11 |
> as people realize GID separation only is too coarse. |
| 12 |
|
| 13 |
Well, the original userspace tools are in app-emulation/lxc (I can see |
| 14 |
how it ended up in this category, but obviously it doesn't fit). |
| 15 |
|
| 16 |
Docker is the most popular one. |
| 17 |
|
| 18 |
My personal favorite is systemd-nspawn. That basically has almost |
| 19 |
nothing to do with systemd per-se, but I have no idea if it can work |
| 20 |
standalone. It is a bit more minimal while still being fairly |
| 21 |
functional. |
| 22 |
|
| 23 |
unshare/nsenter are the util-linux commands that give relatively |
| 24 |
direct access to the system calls themselves. I used unshare to |
| 25 |
illustrate that these really are just system calls and how you use |
| 26 |
them is up to you. |
| 27 |
|
| 28 |
> |
| 29 |
> I still see some odd claims about container security, though: claiming |
| 30 |
> containers are more secure than user accounts still seems odd to me, |
| 31 |
> as if you don't trust the kernel to enforce user accounts, why trust |
| 32 |
> it to enforce namespace separation? |
| 33 |
> |
| 34 |
|
| 35 |
I'm not sure I'd say that containers are more than user accounts |
| 36 |
per-se, though with UID mapping it could be easier to avoid sharing |
| 37 |
user/group IDs across different services that might otherwise share |
| 38 |
them. |
| 39 |
|
| 40 |
I'd say that the security of a container is a bit like the security of |
| 41 |
running something in a chroot jail. It is one additional level of |
| 42 |
isolation that something needs to break out of. |
| 43 |
|
| 44 |
Processes running as root inside a container (and I mean the real |
| 45 |
root, not root in a user namespace like in my example - unless you ran |
| 46 |
the command I gave while logged in as root) are not secure today as |
| 47 |
far as I'm aware. Sure, the isolation is such that a process isn't |
| 48 |
going to accidentally escape from the container, so that is a form of |
| 49 |
security. However, a malicious process running as root inside a |
| 50 |
container (or a chroot) is generally going to be able to escape if it |
| 51 |
wants to. Maybe some kernel hardening approaches would help with |
| 52 |
that. |
| 53 |
|
| 54 |
Also, a process running in a container has less info on the host, |
| 55 |
especially if in a chroot (which is typically the case). If you run a |
| 56 |
shell as nobody you could probably glean quite a bit about what is |
| 57 |
going on with the host, even if you can't directly touch most of it. |
| 58 |
If you could run a process as nobody on many hosts maybe you could |
| 59 |
identify which hosts you want to prioritize for further attacks. If |
| 60 |
they're doing the same thing on processes trapped in a |
| 61 |
container+chroot then they're basically not going to know about any |
| 62 |
other services on the host other than the one they've already hacked |
| 63 |
into. |
| 64 |
|
| 65 |
Stuff running as non-root inside a container should be very well |
| 66 |
contained, barring kernel bugs. As we saw a few months ago with |
| 67 |
meltdown even running in a VM isn't a perfect guarantee of isolation. |
| 68 |
But, I would agree that stuff running under a different UID is also |
| 69 |
reasonably secure other than information leaks. |
| 70 |
|
| 71 |
The main benefit of containers is isolation, IMO. Stuff inside a |
| 72 |
container just doesn't see anything outside, which means fewer |
| 73 |
incompatibilities. I run a bunch of nspawn containers mostly running |
| 74 |
Gentoo (some with other distros inside), and the nice thing about it |
| 75 |
is that when I update a container I know it only provides one service, |
| 76 |
so I only have one service I need to test, vs doing a glibc update and |
| 77 |
having to test everything. On the other hand it is that many more |
| 78 |
updates to do, and there is a bit more memory cost since libraries |
| 79 |
aren't shared across them the way they would be if they all ran on the |
| 80 |
host. |
| 81 |
|
| 82 |
-- |
| 83 |
Rich |
Archives