Hi, there is a recent vulnerability (CVE-2016-8649) which allows unprivileged containers
ptrace the host system, thus likely to execute code on the host.
More details here:
http://openwall.com/lists/oss-security/2016/11/23/6
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1639345
Can you please merge it into the next update?
Thanks
Note that Turris currently only supports privileged containers. Here is what the LXC developers say about the security of privileged containers:
“[…] they’re not safe at all and should only be used in environments where unprivileged containers aren’t available and where you would trust your container’s user with root access to the host.”
“As privileged containers are considered unsafe, we typically will not consider new container escape exploits to be security issues worthy of a CVE and quick fix.”
“We are aware of a number of exploits which will let you escape such containers and get full root privileges on the host.”
Source: https://linuxcontainers.org/lxc/security/
EDIT: I really hope that the Turris team will consider implementing unprivileged containers. Forum user @nerdpunk already did the work: Multiple virtual servers (LXC containers) possible?
Thanks for mentioning that.
I was thinking about using the containers for running IoT and SSH honeypots,
but considering they run in this way I will probably do it on another device like before.