CentOS 7 LXC Unpriviledged container - /dev/null permissions problems

F

fxandrei

Renowned Member
Jan 10, 2013
154
14
83
So i have this centos7 container and everything seems fine.
Now, i dont know if this is proxmox related (probably not) but i have installed some software and it checks the permissions of /dev/{null,random,urandom} and they are not how it expects them to be.
From what i understand the owner should be root but its not.

So if i run this:
ls -als /dev/{null,random,urandom}
I get :
0 crw-rw-rw- 1 65534 65534 1, 3 Feb 29 09:11 /dev/null
0 crw-rw-rw- 1 65534 65534 1, 8 Feb 29 09:11 /dev/random
0 crw-rw-rw- 1 65534 65534 1, 9 Feb 29 09:11 /dev/urandom

So if i try this :
chown root:root /dev/null
I get :
chown: changing ownership of '/dev/null': Operation not permitted

So i really dont undestant what this is used for and what i can do to have it changed.
 
hi,

unprivileged containers (default when you create a CT on our GUI) run in a namespace with their own uid/gid, along with some other restrictions on device nodes.

if you need /dev/null & friends to be owned by root then you need a privileged container.

you can read more about this here[0]

to switch a CT from unpriv -> priv:
1. make a backup of the CT
2. restore the backup and deselect unprivileged while doing so

[0]: https://pve.proxmox.com/wiki/Unprivileged_LXC_containers
 
So there is no way to have this on unprivileged containers right, and they to do it is to use privileged container ?
But these seem to not be as safe as unpriv ones.
At least thats what the Proxmox Wiki says (https://pve.proxmox.com/wiki/Linux_Container) :

Unprivileged Containers
Unprivileged containers use a new kernel feature called user namespaces. The root UID 0 inside the container is mapped to an unprivileged user outside the container. This means that most security issues (container escape, resource abuse, etc.) in these containers will affect a random unprivileged user, and would be a generic kernel security bug rather than an LXC issue. The LXC team thinks unprivileged containers are safe by design.
This is the default option when creating a new container.


Privileged Containers
Security in containers is achieved by using mandatory access control AppArmor restrictions, seccomp filters and Linux kernel namespaces. The LXC team considers this kind of container as unsafe, and they will not consider new container escape exploits to be security issues worthy of a CVE and quick fix. That’s why privileged containers should only be used in trusted environments.
Click to expand...
 
fxandrei said:
But these seem to not be as safe as unpriv ones.
Click to expand...
they aren't, and that's why unprivileged is the default setting.

some things don't work in unprivileged containers because of the restrictions they impose. this is a simple trade-off.

if you are worried about safety in privileged container, you can instead use a VM.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back