|
my homie dhall posted:are you .,.. actually sshing to the container? as in it is running ssh? Interestingly enough, this has been a theoratical attack for decades (which is why jexec is discouraged on FreeBSD, in favour of ssh), but this is no longer the case.
|
#
?
Apr 11, 2022 10:36
|
|
|
|
| # ? May 28, 2024 13:47 |
|
|
well yes, doing so requires root privileges
|
|
#
?
Apr 11, 2022 14:00
|
|
|
my homie dhall posted:well yes, doing so requires root privileges
|
|
#
?
Apr 11, 2022 14:06
|
|
|
I'm not sure I'm completely following you, but in 2022 Linux containers can be run by unprivileged users and thus "container escape" could only ever give you unprivileged access but it also seems kind of beside the point, because if you are able to escape a container you're already exploiting the kernel
|
|
#
?
Apr 11, 2022 14:23
|
|
|
my homie dhall posted:I'm not sure I'm completely following you, but in 2022 Linux containers can be run by unprivileged users and thus "container escape" could only ever give you unprivileged access in what way exactly is the container a container at the point where things casually stroll out of it? given how much you seem care about the security of the setup i do now imagine that the "unprivileged" level after container escape will be able to mess with everything of actual relevance on the machine, being precluded perhaps from changing the system clock.
|
|
#
?
Apr 11, 2022 14:52
|
|
|
my homie dhall posted:I'm not sure I'm completely following you, but in 2022 Linux containers can be run by unprivileged users and thus "container escape" could only ever give you unprivileged access Attackers are going to use remote code execution, privilege escalation, container escapes and any or all of their individual tools may also use ROP gadgets, JIT spraying, rely on use-after-free, or any number of fun things. The prime reason containers exist on Linux is to orchestrate things, and that's been the selling point since day one. It's not about isolation, and even if you can retrofit isolation on top of all the various containers, it's interesting to look at how many escape exploits there's been in either docker or kubernetes, and try to at least consider how many people are going to go out of their way to activate the isolation mechanisms, which aren't default and take a not-inconsiderable amount of work to set up correctly.
|
|
#
?
Apr 11, 2022 20:58
|
|
|
what do you mean by "retrofit"? cgroups containers have had filesystem/network/process isolation for example since the beginning, where docker and kubernetes* both rely on kernel cgroups apis to actually apply the isolation. each container is a plain linux process that has rules enforced at the kernel at the "raw" cgroups api you can pick which resource classes to enforce. filesystem isolation for example is optional at that level, but the option has always been there and it's unusual to not use it. like if you're doing containers via systemd (also cgroups underneath) then maybe you just limit cpu/mem while leaving the others using host resources anyway to answer the security thing, the worst case risk of breaking out of a container in kubernetes is that you then have access to the kubelet process, in the worst case allowing: - access to all containers running via the local kubelet - access to certificates that allow mimicing the kubelet to e.g. access all secrets in the cluster default secret store (but not in alternate stores like vault) but to do that you first need to find a vulnerability in kernel process management that can also be applied to the configuration of the container that you have access to * kubernetes may even be using dockerd as its container engine, but it's quite bad and these days normally you'd be using containerd outside of specific holdouts like eks. but it's all using cgroups underneath
|
|
#
?
Apr 11, 2022 22:04
|
|
|
Cybernetic Vermin posted:in what way exactly is the container a container at the point where things casually stroll out of it? given how much you seem care about the security of the setup i do now imagine that the "unprivileged" level after container escape will be able to mess with everything of actual relevance on the machine, being precluded perhaps from changing the system clock. yeah, but what you’re describing is not the case if you’re holding it correctly admittedly people are mostly not doing that, but don’t blame Linux! BlankSystemDaemon posted:In the year 2022 you don't ever see a box rooted with a single exploit, though. look, I think a problem here is that containers is an imprecise term. largely you’re talking about some nice api on top of cgroups and namespaces, but there are also Linux container runtimes available that intercept and emulate system calls or use the in-kernel kvm machinery to run the process in what is essentially its own individual vm to your point, I agree that the primary container runtime that initially got traction on Linux, which was docker, traded usability for security in its initial implementation where required. they knew operators were going to run all their containers as root even though they explicitly said “do not do this!” and predictably users do exactly that and run root containers all day long. but! the major primitives docker relies on, namespaces and cgroups, are very much designed for strong isolation guarantees. as I mentioned, since 3.8, root is not required at all to use these tools, not even suid. and they’re pretty powerful, you can start a container within which a process is running as “root” with full capabilities, but that root will actually just map to the unprivileged user that started the container. as for why so many of these exploits pop up on Linux as opposed to FreeBSD, I’d imagine it’s because Linux has users
|
|
#
?
Apr 12, 2022 01:44
|
|
|
big gnomes big problems
|
|
#
?
Apr 12, 2022 02:40
|
|
|
Rootless containers are so bad from a security standpoint that enterprise distros disable them outright. Unless something changed recently. A user can create a namespace containing a confined fake root user but all too often there is a flaw in Linux's security checks that allow it to act as an unconfined real root. Because these checks were not designed for a namespaced fake root originally and retrofitting this concept after the fact is dangerous.
|
|
#
?
Apr 12, 2022 03:14
|
|
|
found an ugly but quite functional dual pane file manager called double commander. wanted something comparable to altap salamander in windows and i think this just about fits the bill
|
|
#
?
Apr 12, 2022 03:40
|
|
|
Sapozhnik posted:Rootless containers are so bad from a security standpoint that enterprise distros disable them outright. Unless something changed recently. Gonna need some citations
|
|
#
?
Apr 12, 2022 03:58
|
|
|
mycophobia posted:found an ugly but quite functional dual pane file manager called double commander. wanted something comparable to altap salamander in windows and i think this just about fits the bill
|
|
#
?
Apr 12, 2022 04:11
|
|
|
mystes posted:If you don't already know that these are all norton commander clones this might give you the appropriate term to google for yeah ive briefly looked around for some before but i havent found anything this full featured until now. i dont actually have a pressing need for a file manager like this outside of work where i use windows anyway lol but its cool to have
|
|
#
?
Apr 12, 2022 04:15
|
|
|
Fedora 36 Beta is shaping up to be pretty good. I can actually use the tpm with cryptenroll now, so I can have an encrypted root disk without the need to type anything to decrypt it. It's not really high security by any means, but it strikes the balance between reducing user friction and addressing the use case where someone replaces a hard drive or repurposes it but forgets to wipe it. It should work well as a fileserver I can leave with my parents.
|
|
#
?
Apr 12, 2022 05:13
|
|
|
Mr. Crow posted:Gonna need some citations https://twitter.com/search?q=from%3A%40grsecurity%20%22unpriv%20userns%22&src=typed_query&f=live
|
|
#
?
Apr 12, 2022 05:53
|
|
|
BlankSystemDaemon posted:why yes, let me make my prompt absofuckinglutely unreadable by anyone and filling it with things i don't need when i'm working, so that i can be constantly distracted and not get any work done yeah it owns. with powerlevel10k it’s 
|
|
#
?
Apr 16, 2022 04:38
|
|
|
putting in a new low power server in my house as a generic shell environment for dicking about, and to run all my nerd dockers (plex, transmission, pihole, et al). should i use fedora server or red hat, i kinda wanna try red hat so i can know a little about it for work
|
|
#
?
Apr 16, 2022 04:40
|
|
|
Gentle Autist posted:putting in a new low power server in my house as a generic shell environment for dicking about, and to run all my nerd dockers (plex, transmission, pihole, et al). should i use fedora server or red hat, i kinda wanna try red hat so i can know a little about it for work unless you have a specific version of rhel in mind, you should just stick with fedora so that you can plan for the futute instead of being shackled to tools that might get OBE'd anyway.
|
|
#
?
Apr 16, 2022 04:43
|
|
|
Gentle Autist posted:yeah it owns. with powerlevel10k it’s 
|
|
#
?
Apr 16, 2022 10:40
|
|
|
yea careful with RHEL. stuff like curl, openssl, imagemagick will get pinned to a version and stay at that version with only minor security backports for a decade. great for work where you dont want random surprises. but frustrating for home where you might want to play with the newest stuff
|
|
#
?
Apr 16, 2022 19:23
|
|
|
fedora it is, thanks friends
|
|
#
?
Apr 16, 2022 19:55
|
|
|
yah i got a little thinkcentre tiny for that and fedora server is perfect for that use case
|
|
#
?
Apr 17, 2022 00:43
|
|
|
yummycheese posted:yea careful with RHEL. stuff like curl, openssl, imagemagick will get pinned to a version and stay at that version with only minor security backports for a decade. can’t wait to get home and boot up the latest curl to see what new cli options they’ve thought of
|
|
#
?
Apr 17, 2022 10:29
|
|
|
lol
|
|
#
?
Apr 17, 2022 11:41
|
|
|
Soricidus posted:can’t wait to get home and boot up the latest curl to see what new cli options they’ve thought of
|
|
#
?
Apr 17, 2022 16:39
|
|
|
carry on then posted:yah i got a little thinkcentre tiny for that and fedora server is perfect for that use case the thing i have coming is an hp usff with a t-series (low power laptop) i5. I’m digging the concept and might find some more excuses to buy more, like setting up a nice retro emulator appliance for my 8 year old nephew using a launchbox frontend
|
|
#
?
Apr 18, 2022 08:51
|
|
|
you can get them for next to nothing ex-lease too
|
|
#
?
Apr 18, 2022 08:51
|
|
|
new ubuntu lts looks good enough for me to switch from pop_os
|
|
#
?
Apr 22, 2022 02:19
|
|
|
reviews all say snapd is still a slow POS though
|
|
#
?
Apr 22, 2022 02:42
|
|
|
Ubuntu is never the right choice
|
|
#
?
Apr 22, 2022 04:44
|
|
|
Mr. Crow posted:Linux is never the right choice
|
|
#
?
Apr 22, 2022 04:44
|
|
|
isn’t there a new Ubuntu LTS out now?
|
|
#
?
Apr 22, 2022 04:45
|
|
|
Last Chance posted:isn’t there a new Ubuntu LTS out now? yes, it's what prompted Amethyst posted:new ubuntu lts looks good enough for me to switch from pop_os
|
|
#
?
Apr 22, 2022 04:49
|
|
|
Mr. Crow posted:Ubuntu is never the right choice what's wrong with it. seems fine to me
|
|
#
?
Apr 22, 2022 05:08
|
|
|
posting from ubuntu 22.04. gnome 42 defaults are fantastic.
|
|
#
?
Apr 22, 2022 05:09
|
|
|
firefox really does take forever to boot first time from snapd though. uninstalled + replaced with the flatpak version
|
|
#
?
Apr 22, 2022 05:10
|
|
|
snap is terrible and needs to go the way of mir
|
|
#
?
Apr 22, 2022 05:48
|
|
|
Amethyst posted:what's wrong with it. seems fine to me nbsd says it has a dysfunctional security model for package management by default
|
|
#
?
Apr 22, 2022 08:30
|
|
|
|
| # ? May 28, 2024 13:47 |
|
|
isn't nbsd still banned?
|
|
#
?
Apr 22, 2022 08:45
|
|