[avahi] Avahi daemon doesn't work inside an unprivileged container

Fri Jul 17 08:55:43 PDT 2015

Hi Trent,

Sorry for the (very) long delay…

Inside the container I get a cred->uid value of 65534 which means (if
I'm not mistaken) an UID overflow. I'm not sure if this is due to the
fact that the UID 0 is mapped on the UID 755360 for this container.
Anyway, I think that the value of cred->uid should be 0 in this case
but I'm not sure.

Here is the setup I used. My host system is a Debian Sid with LXC 1.0.7
-3. The container runs Ubuntu Utopic as I wasn't able to run Ubuntu
Vivid inside an unprivileged container. The commands I used to setup my
container to reproduce this bug are the following ones (executed under
the superuser account). The superuser account owns 65536 sub UIDs
starting at 755360.

HTTP_PROXY=apt lxc-create -B btrfs -t ubuntu -n ubuntu-utopic -- -r utopic --packages lxc,avahi-daemon,avahi-autoipd,avahi-dnsconfd,libnss-mdns
uidmapshift -b /var/lib/lxc/ubuntu-utopic/rootfs 0 755360 65536
chown 755360:755360 /var/lib/lxc/ubuntu-utopic
cat > /var/lib/lxc/ubuntu-utopic/config << EOF
# Template used to create this container: /usr/share/lxc/templates/lxc-ubuntu
# Parameters passed to the template: -r utopic --packages lxc,avahi-daemon,avahi-autoipd,avahi-dnsconfd,libnss-mdns
# For additional config options, please look at lxc.container.conf(5)

# Common configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf

# Container specific configuration
lxc.rootfs = /var/lib/lxc/ubuntu-utopic/rootfs
lxc.mount = /var/lib/lxc/ubuntu-utopic/fstab
lxc.utsname = ubuntu-utopic
lxc.arch = amd64
lxc.id_map = u 0 755360 65536
lxc.id_map = g 0 755360 65536

# Network configuration
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
EOF
lxc-start -n ubuntu-utopic

Inside the container, I rebuilt the Avahi packages to make some tests :

sudo -s
sed -ri 'p;s#^deb (.*)$#deb-src \1#' /etc/apt/sources.list
apt-get update
apt-get install dpkg-dev gdb
apt-get source avahi-daemon
apt-get build-dep avahi-daemon
cd avahi-0.6.31
…
dpkg-buildpackage -us -uc
dpkg -i ../*.deb

Feel free to ask me if you need more informations.

Cheers

Yann

Le mercredi 01 avril 2015 à 11:25 +0800, Trent Lloyd a écrit :
> Hi Yann,
> 
> Can you tell me what value of cred->uid you are actually getting 
> inside these containers? I wonder if somehow you are getting the 
> unmapped value.
> I assume that inside the container running “Id” shows 0, but outside 
> the container you see it remapped to another id?
> 
> If you can confirm the lxc version, and possibly supply a config (or 
> as much info as possible) I can reproduce with, that would be great.
> 
> Cheers,
> Trent
> 
> > On 6 Feb 2015, at 4:23 pm, Yann Soubeyrand <
> > ysoubeyrand at adeneo-embedded.com> wrote:
> > 
> > Hi,
> > 
> > Avahi daemon doesn't work inside an unprivileged container, more
> > precisely inside a container where the uid 0 is mapped to an uid 
> > other
> > than 0.
> > 
> > I identified the line where the problem occurs in the Avahi 
> > sources:
> > http://git.0pointer.net/avahi.git/tree/avahi-core/netlink.c#n85.
> > 
> > I don't know if it's a bug of Avahi or if it's a bug inside the 
> > kernel.
> > My guess is that it's the latter one but I'm not sure. I think that 
> > the
> > kernel passes the credentials mapped to zero when it's the sender 
> > of the
> > message whereas it should pass all zero credentials in this case. 
> > But I
> > didn't read the code of netlink and it's purely speculation. Also, 
> > I
> > wonder if it could not introduce security flaws doing so.
> > 
> > Feel free to ask me if you need further information or if you need 
> > me to
> > be clearer in my explanations ;-)
> > 
> > I'm using Debian Sid as my host system (I tried 3.16 and 3.18 
> > kernels)
> > and Ubuntu Vivid inside my container.
> > 
> > Cheers
> > 
> > 
> > 

-- Linux software engineer
Adeneo Embedded4 chemin du Ruisseau69130 ÉcullyFrance
+33 4 72 18 08 40