[Users] Solar Designer Audit 2005

Solar Designer solar at openwall.com
Mon Oct 12 04:44:00 PDT 2015 

On Mon, Oct 12, 2015 at 12:42:42PM +0300, Sergey Bronnikov wrote:
> Alexander found a report which was done for OpenVZ in 2005.
> I have attached it.

Thank you for making this public, Sergey!

I think this is worth another look, and the test programs from the
tarball are worth re-running against currently maintained kernels.

> 1.7. route tables, network interfaces (aliases), and mounts are not
> properly beancounted or limited, allowing for DoS attacks on the host
> node.  route table flood appears to be the most effective, leading to
> the system running out of physical memory within minutes.
> 
> 1.8. The queues_count variable in ipc/mqueue.c is not virtualized,
> potentially allowing to DoS the functionality for non-root users in all
> VPSes and on the host system.

I am not aware of these issues having been fixed, so maybe they are
still present.  The deliverable-1.tar.gz tarball contains testcases
(should I say exploits?) for some of them, potentially allowing
in-container users to DoS the host in these ways.  (Maybe kmemsize would
kick in, or maybe not soon enough or not at all.  Things were pretty bad
back then - I think linear search and such.  Maybe newer kernels' data
structures are sufficiently better to tolerate this sort of abuse, or
maybe not.)

> 2.2. vzctl.spec [...]
[...]
> Additionally, it is preferable for default permissions on /vz/private to
> be forced to 700.

We've been using 700 in Owl, but I think this might not be the case in
upstream vzctl, nor in other distros.

> 2.4. A warning should be added to the vzctl(8) manual page stating that
> enabling non-default capabilities may completely break the OpenVZ
> security model.  Maybe vzctl itself should print a warning, too, when
> requested to set known-unsafe capabilities.

I think this is still missing, right?

> 	Portions of code and potential issues yet to be checked for.

We did not proceed with a more thorough security audit.

> 	Recommendations for "hardening" OpenVZ security.

I think none of these ended up being implemented.  Please correct me if
I am wrong.

Other than these pieces I quoted and maybe some documentation issues (on
LSMs breaking OpenVZ security model), I think everything else was fixed.
(But it's worth re-testing now, as regressions are possible and lots of
new code has been added, both upstream and OpenVZ-specific.)

It was a pleasant experience working with OpenVZ developers on this, and
briefly with Linux kernel upstream as well (all issues promptly fixed).

Thanks again,

Alexander

More information about the Users mailing list