Linux Container Madness
(…or How I Got Root in Less than 5 Minutes)
Update: This has nothing to do with Docker. My mistake - the concern is between LXC and Libvirt. Thanks to Wes Felter for pointing this out in the comments.
I’m unsure if this is actually a vulnerability or just a usability problem with the normal behaviour of LXC/Libvirt. Nevertheless, this seemingly harmless template file seems to cause A LOT of worry, as it allowed me to elevate privileges on the host system from an ordinary user account. I imagine new users of containers, like myself, should be more concerned about how safe these defaults really are.
If you want to try this out, then here is the preamble if you are running a Debian-based Linux. In this case I am running Ubuntu 14.04.1.
Create an unprivileged user, but with access to the
Now you should login as the ordinary user. Save the following XML template, which contains a name, a memory limit, console access and a shell. E.g. at /tmp/container.xml
Import the template into Libvirt:
Start the container. Make sure you have the Libvirt environment variable exported to work with LXC (e.g.
LIBVIRT_DEFAULT_URI=lxc:///), such that Libvirt doesn’t go looking for Xen or KVM.
And now try to run the bash shell:
Huh? You now have root on the host. Without any prompt for a superuser password. What kind of messed up world is this? I can read/write to any file on the host:
Or alternatively just cause a bit of downtime:
You can access a lot of the system programs in /bin, but it’s trivial to add yourself to the
sudoers group instead.
Is it possible to be careful with LXC? It doesn’t seem safe for mortals and is hardly encouraging. Like what Dan Walsh said in a recent article, it seems that “containers do not contain”. At least not without a lot of experience and carefully crafted configs. It would be a shame if such obscure semantics will let down the overall usability of the platform.
Thoughts are welcomed. Especially from LXC magicians - what are the semantics behind this configuration file? Privileges by default? My user had no superuser access…I expect them to remain that way.