1 |
On Thu, Mar 8, 2018 at 4:00 PM, R0b0t1 <r030t1@×××××.com> wrote: |
2 |
> On Thu, Mar 8, 2018 at 11:50 AM, Rich Freeman <rich0@g.o> wrote: |
3 |
>> If you have util-linux installed then try running (as any user - you |
4 |
>> don't have to be root): |
5 |
>> unshare -i -m -n -p -u -C -f --mount-proc -U -r /bin/bash |
6 |
>> |
7 |
> |
8 |
> Interesting. I hadn't found a good interface to containers and |
9 |
> clone(2) besides Docker. Of course, I didn't look very hard. I half |
10 |
> expect a "new" process model to develop around the kernel namespaces, |
11 |
> as people realize GID separation only is too coarse. |
12 |
|
13 |
Well, the original userspace tools are in app-emulation/lxc (I can see |
14 |
how it ended up in this category, but obviously it doesn't fit). |
15 |
|
16 |
Docker is the most popular one. |
17 |
|
18 |
My personal favorite is systemd-nspawn. That basically has almost |
19 |
nothing to do with systemd per-se, but I have no idea if it can work |
20 |
standalone. It is a bit more minimal while still being fairly |
21 |
functional. |
22 |
|
23 |
unshare/nsenter are the util-linux commands that give relatively |
24 |
direct access to the system calls themselves. I used unshare to |
25 |
illustrate that these really are just system calls and how you use |
26 |
them is up to you. |
27 |
|
28 |
> |
29 |
> I still see some odd claims about container security, though: claiming |
30 |
> containers are more secure than user accounts still seems odd to me, |
31 |
> as if you don't trust the kernel to enforce user accounts, why trust |
32 |
> it to enforce namespace separation? |
33 |
> |
34 |
|
35 |
I'm not sure I'd say that containers are more than user accounts |
36 |
per-se, though with UID mapping it could be easier to avoid sharing |
37 |
user/group IDs across different services that might otherwise share |
38 |
them. |
39 |
|
40 |
I'd say that the security of a container is a bit like the security of |
41 |
running something in a chroot jail. It is one additional level of |
42 |
isolation that something needs to break out of. |
43 |
|
44 |
Processes running as root inside a container (and I mean the real |
45 |
root, not root in a user namespace like in my example - unless you ran |
46 |
the command I gave while logged in as root) are not secure today as |
47 |
far as I'm aware. Sure, the isolation is such that a process isn't |
48 |
going to accidentally escape from the container, so that is a form of |
49 |
security. However, a malicious process running as root inside a |
50 |
container (or a chroot) is generally going to be able to escape if it |
51 |
wants to. Maybe some kernel hardening approaches would help with |
52 |
that. |
53 |
|
54 |
Also, a process running in a container has less info on the host, |
55 |
especially if in a chroot (which is typically the case). If you run a |
56 |
shell as nobody you could probably glean quite a bit about what is |
57 |
going on with the host, even if you can't directly touch most of it. |
58 |
If you could run a process as nobody on many hosts maybe you could |
59 |
identify which hosts you want to prioritize for further attacks. If |
60 |
they're doing the same thing on processes trapped in a |
61 |
container+chroot then they're basically not going to know about any |
62 |
other services on the host other than the one they've already hacked |
63 |
into. |
64 |
|
65 |
Stuff running as non-root inside a container should be very well |
66 |
contained, barring kernel bugs. As we saw a few months ago with |
67 |
meltdown even running in a VM isn't a perfect guarantee of isolation. |
68 |
But, I would agree that stuff running under a different UID is also |
69 |
reasonably secure other than information leaks. |
70 |
|
71 |
The main benefit of containers is isolation, IMO. Stuff inside a |
72 |
container just doesn't see anything outside, which means fewer |
73 |
incompatibilities. I run a bunch of nspawn containers mostly running |
74 |
Gentoo (some with other distros inside), and the nice thing about it |
75 |
is that when I update a container I know it only provides one service, |
76 |
so I only have one service I need to test, vs doing a glibc update and |
77 |
having to test everything. On the other hand it is that many more |
78 |
updates to do, and there is a bit more memory cost since libraries |
79 |
aren't shared across them the way they would be if they all ran on the |
80 |
host. |
81 |
|
82 |
-- |
83 |
Rich |