Unprivileged jails

fr0xk

fr0xk

Linux has Unprivileged containers, through which a user can manage containers if admin allows him via a special config file, faking some parts with user subuids and subgids, and others, like create devices, etc… are "bypassed" during the installation process of "tweaked" templates of lxchub (or whatever it is). Then user can manage some sort of device nodes... at least that's how I understand it.

Code: 
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536

# Using Bridge
USE_LXC_BRIDGE="true"

# Device nodes
lxc.cgroup.devices.allow = c 116:* rwm
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry = /dev/snd dev/snd none bind,optional,create=dir

# Network namespaces
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.name = eth1
lxc.network.flags = up
lxc.network.hwaddr = 08:00:27:e5:c3:29
lxc.aa_allow_incomplete = 1

# Include systemwide tweaks
# lxc.include = /etc/lxc/default.conf

Now I wonder if FreeBSD jails can do so securely. It looks like, technically jails are more chroot on steroids rather than containers. I personally don't have any limitations with this, but can anyone technically explain the differences of Jails vs (lxc+docker)?
 
mod3777 said:
It looks like, technically jails are more chroot on steroids rather than containers. I personally don't have any limitations with this, but can anyone technically explain the differences of Jails vs (lxc+docker)?
Click to expand...
Containers are also basically chroot with a bunch of scripts on top of it to help set things up. The differences boil down to implementation details but the principle is the same.

With jails you can implement two strategies - you can have a complete environment (thick jail) with its own init scripts etc, or you can implement a thin jail (ldd+cp method) where you put only the binary you need in the jail. The same can be done with LxC and Docker. It's actually all the same - chroot with code that helps set up the chrooted environment. The rest is implementation details.
 
roccobaroccoSC said:
Containers are also basically chroot with a bunch of scripts on top of it to help set things up. The differences boil down to implementation details but the principle is the same.

With jails you can implement two strategies - you can have a complete environment (thick jail) with its own init scripts etc, or you can implement a thin jail (ldd+cp method) where you put only the binary you need in the jail. The same can be done with LxC and Docker. It's actually all the same - chroot with code that helps set up the chrooted environment. The rest is implementation details.
Click to expand...


roccobaroccoSC said:
Yes, you can use the following properties in your jail.conf:
Code: 
    exec.system_user = "root";
    exec.jail_user = "root";
Just read the manual page, it has a quite good explanation. jail(8)
Click to expand...

I tried what you said. I think you misunderstood the part jexec -u. I was consulting about executing jexec as a local user. Like this:
Bash: 
$ lxc-start -n "containerName" -F // Starts the container without root
% jexec buildtank // Prevents it with Operation not permitted

Code: 
dext3r@eula47 ~ % cat /etc/jail.conf
# /etc/jail.conf

allow.raw_sockets = 1;
allow.read_msgbuf = 1;
allow.mount = 1;
allow.mount.devfs = 1;

mount.devfs;
allow.mount.nullfs;

# Global settings applied to all jails.
exec.system_user = "root";
exec.jail_user = "root";
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;

# The jail definition for talon1
buildtank {
    host.hostname = buildtank;              # Hostname
    path = "/usr/local/jails/buildtank";    # Path to the jail
    interface = "ue0";                      # Network interface name
    ip4.addr = 192.168.100.102;             # IP Address assigned
}
dext3r@eula47 ~ % jexec buildtank
jexec: jail_attach(5): Operation not permitted // eh, lxc allows this as nonroot

Umm, still requires root privileges for jexec.
 
Well, you have to adjust the system and jail users. "root" should be changed to whatever user you want to use instead of root.
Also, you may have to chown the jail directory to that user, I am not sure about this, I have not used it yet. See the man page.
 
I have found a resource that says:
it's possible to escape a jail given unprivileged access to the host, which is what we'd be doing here. So we need to either decide that's OK (that we trust folks to not *deliberately* wreak havoc, and are using this only to limit accidental damage), or find another way (probably running sshd in jails).
Click to expand...

Here: Unprivileged jexec
 
You must log in or register to reply here.
Back
Top