Public bug reported:
Hi,
I'm setting up a webserver, and decided after some reading and
significant setup to contain various sites in their own LXC containers.
The websites have different sets of developers, and several have daemons
for which I created users.
Consequently, there is not a 1:1 match between users on the host and inside
each LXC.
I noticed when running ps auxf on the host machine, that various processes were
ascribed to the wrong users -- and surmised that it was just a result of what
the host thought which names belonged to those userid's; but I hoped it
wouldn't let me kill them as that user.
So I su'd to normal user "dave" userid 1003 and was able to kill each of
the websites daemons, which each had a name like "eebot" and were userid
1003.
Surely this is undesirable behaviour!
I have since added duplicate daemon userid's and moved them into the 996
range so normal users won't likely accidentally overlap, but I think
there should be a way to prevent regular host users from killing
processes inside LXC that coincidentally happen to have the same userid.
I also noticed, for example, when running ps auxf, that the mysql user in the
LXC's have the same userid as "colord" on the host, for the same reasons.
While this is probably not a huge deal, there could easily be a situation where
this was undesirable.
As an addendum, the reason I have the users added on the host is so they can
SSH to it, and then into their respective LXC environments.
PS. I'm half-tempted to call this a security vulnerability, but I'm not sure
what exactly that applies to; as a system administrator I might consider it a
security vulnerability, as user A can kill user B's stuff, if the userid's
match that way.
--------------
$ lsb_release -rd
Description: Ubuntu 12.04.2 LTS
Release: 12.04
$ apt-cache policy lxc
lxc:
Installed: 0.7.5-3ubuntu67
Candidate: 0.7.5-3ubuntu67
Version table:
0.8.0~rc1-4ubuntu39.12.10.2~ubuntu12.04.1 0
100 http://mirror.peer1.net/ubuntu/ precise-backports/universe amd64
Packages
*** 0.7.5-3ubuntu67 0
500 http://mirror.peer1.net/ubuntu/ precise-updates/universe amd64
Packages
100 /var/lib/dpkg/status
0.7.5-3ubuntu52 0
500 http://mirror.peer1.net/ubuntu/ precise/universe amd64 Packages
** Affects: lxc (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1191596
Title:
Host user can kill process of different LXC user, if same userid
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1191596/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
