Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Can The Root User Access The Contents Of LXD Containers?


  • Please log in to reply
2 replies to this topic

#1 Guest_hollowface_*

Guest_hollowface_*

  • Guests
  • OFFLINE
  •  

Posted 28 May 2016 - 08:51 PM

This post is inspired by the unanswered question: http://askubuntu.com/questions/778854/can-someone-with-root-access-enter-in-a-lxd-container-and-see-its-contents .

 

Can the root user access the contents of LXD containers? Yes! Root has access to everything, including the contents of all LXD containers.

Terminal Test Output:

example1@example:~$ lxc start "Ubuntu_14.04_X86-64_Container"
example1@example:~$ lxc exec "Ubuntu_14.04_X86-64_Container" -- /bin/bash
root@Ubuntu_14:~# echo "Testing 1 2 3" > /testfile
root@Ubuntu_14:~# exit
exit
example1@example:~$ cat "/var/lib/lxd/containers/Ubuntu_14.04_X86-64_Container/rootfs/testfile"
Testing 1 2 3
example1@example:~$ su root -c "echo 'Testing v2 1 2 3' > '/var/lib/lxd/containers/Ubuntu_14.04_X86-64_Container/rootfs/testfile'"
Password:
example1@example:~$ lxc exec "Ubuntu_14.04_X86-64_Container" -- /bin/bash
root@Ubuntu_14:~# cat /testfile
Testing v2 1 2 3
root@Ubuntu_14:~# exit
exit
example1@example:~$ lxc stop "Ubuntu_14.04_X86-64_Container"
example1@example:~$

In the above test we can see a file is created in the container, and then modified by the host root account. If this is undesirable one could use a virtual machine (VirtualBox, VMware Workstation Player, etc) rather than a virtual system (container). When the VM is offline, it's virtual disk could still be mounted, and contents
accessed that way, so it would be advisable to setup the guest OS with encrypted partitions (something I have no experience with).

BC AdBot (Login to Remove)

 


#2 technonymous

technonymous

  • Members
  • 2,490 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 30 May 2016 - 11:00 PM

Root can do anything. So you as the owner of the machine should be the only one that knows the root and superuser credentials. However, you as the root or superuser can give ownership of a file over to other users that are not part of the superuser group & chmod it 700 for them. However, can a user trust root?


Edited by technonymous, 30 May 2016 - 11:02 PM.


#3 mremski

mremski

  • Members
  • 495 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:09:17 PM

Posted 31 May 2016 - 02:42 AM

I don't know why this would come as a suprise to anyone.  Containers are designed to prevent a process running inside the container from accessing anything outside the container.  They are not designed to prevent outside the container  accessing container files, simply because the container files "live" on the real filesystem.  As said in #2 "root can do anything";  regarding containers,  more specifically "Host machine root can do anything it wants to containers".


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users