Unprivileged jails

mod3777

Member

Reaction score: 15
Messages: 44

Linux has Unprivileged containers, through which a user can manage containers if admin allows him via a special config file, faking some parts with user subuids and subgids, and others, like create devices, etc… are "bypassed" during the installation process of "tweaked" templates of lxchub (or whatever it is). Then user can manage some sort of device nodes... at least that's how I understand it.

Code:
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536

# Using Bridge
USE_LXC_BRIDGE="true"

# Device nodes
lxc.cgroup.devices.allow = c 116:* rwm
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry = /dev/snd dev/snd none bind,optional,create=dir

# Network namespaces
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.name = eth1
lxc.network.flags = up
lxc.network.hwaddr = 08:00:27:e5:c3:29
lxc.aa_allow_incomplete = 1

# Include systemwide tweaks
# lxc.include = /etc/lxc/default.conf
Now I wonder if FreeBSD jails can do so securely. It looks like, technically jails are more chroot on steroids rather than containers. I personally don't have any limitations with this, but can anyone technically explain the differences of Jails vs (lxc+docker)?
 

unitrunker

Active Member

Reaction score: 66
Messages: 184

Ask this guy

 

roccobaroccoSC

Well-Known Member

Reaction score: 96
Messages: 429

Yes, you can use the following properties in your jail.conf:
Code:
    exec.system_user = "root";
    exec.jail_user = "root";
Just read the manual page, it has a quite good explanation. jail(8)
 

roccobaroccoSC

Well-Known Member

Reaction score: 96
Messages: 429

It looks like, technically jails are more chroot on steroids rather than containers. I personally don't have any limitations with this, but can anyone technically explain the differences of Jails vs (lxc+docker)?
Containers are also basically chroot with a bunch of scripts on top of it to help set things up. The differences boil down to implementation details but the principle is the same.

With jails you can implement two strategies - you can have a complete environment (thick jail) with its own init scripts etc, or you can implement a thin jail (ldd+cp method) where you put only the binary you need in the jail. The same can be done with LxC and Docker. It's actually all the same - chroot with code that helps set up the chrooted environment. The rest is implementation details.
 
OP
OP
mod3777

mod3777

Member

Reaction score: 15
Messages: 44

Containers are also basically chroot with a bunch of scripts on top of it to help set things up. The differences boil down to implementation details but the principle is the same.

With jails you can implement two strategies - you can have a complete environment (thick jail) with its own init scripts etc, or you can implement a thin jail (ldd+cp method) where you put only the binary you need in the jail. The same can be done with LxC and Docker. It's actually all the same - chroot with code that helps set up the chrooted environment. The rest is implementation details.

Yes, you can use the following properties in your jail.conf:
Code:
    exec.system_user = "root";
    exec.jail_user = "root";
Just read the manual page, it has a quite good explanation. jail(8)
I tried what you said. I think you misunderstood the part jexec -u. I was consulting about executing jexec as a local user. Like this:
Bash:
$ lxc-start -n "containerName" -F // Starts the container without root
% jexec buildtank // Prevents it with Operation not permitted
Code:
dext3r@eula47 ~ % cat /etc/jail.conf
# /etc/jail.conf

allow.raw_sockets = 1;
allow.read_msgbuf = 1;
allow.mount = 1;
allow.mount.devfs = 1;

mount.devfs;
allow.mount.nullfs;

# Global settings applied to all jails.
exec.system_user = "root";
exec.jail_user = "root";
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;

# The jail definition for talon1
buildtank {
    host.hostname = buildtank;              # Hostname
    path = "/usr/local/jails/buildtank";    # Path to the jail
    interface = "ue0";                      # Network interface name
    ip4.addr = 192.168.100.102;             # IP Address assigned
}
dext3r@eula47 ~ % jexec buildtank
jexec: jail_attach(5): Operation not permitted // eh, lxc allows this as nonroot
Umm, still requires root privileges for jexec.
 

roccobaroccoSC

Well-Known Member

Reaction score: 96
Messages: 429

Well, you have to adjust the system and jail users. "root" should be changed to whatever user you want to use instead of root.
Also, you may have to chown the jail directory to that user, I am not sure about this, I have not used it yet. See the man page.
 
OP
OP
mod3777

mod3777

Member

Reaction score: 15
Messages: 44

I have found a resource that says:
it's possible to escape a jail given unprivileged access to the host, which is what we'd be doing here. So we need to either decide that's OK (that we trust folks to not *deliberately* wreak havoc, and are using this only to limit accidental damage), or find another way (probably running sshd in jails).
Here: Unprivileged jexec
 
Top