[Users] vzctl enter potentially dangerous
Kir Kolyshkin
kir at openvz.org
Thu Feb 25 01:54:09 EST 2010
On 02/16/2010 12:04 PM, Dietmar Maurer wrote:
> Hi all,
>
> On the following URL http://download.swsoft.com/virtuozzo...erence/386.htm I can read:
> "However, be aware that vzctl enter is a potentially dangerous command if you have un-trusted users inside the Container. Your shell will have its file descriptors accessible for the Container root in the /proc filesystem and a malicious user could run ioctl calls on it. Never use vzctl enter for Containers you do not trust."
>
> Is there a way to avoid that security problem? Is there an example exploit for above issue?
>
>
The problem here is you open the tty/pty terminal pair between the HW
and CT, and by using some terminal ioctls it is possible to do nasty
things on host. We believe the issue is non-existent in vzctl since
there are two pairs of tty/pty involved to not let the CT end control
the host end.
From the other side, I got a report recently that the issue is still
exploitable, but then I was unable to reproduce it and the reporter
was not able to clarify.
Nevertheless, to be on the safe side one should better use ssh to
connect to a container.
Disclaimer: I am not a security expert.
More information about the Users
mailing list