[avahi] Avahi daemon doesn't work inside an unprivileged container
ysoubeyrand at adeneo-embedded.com
Fri Jul 17 08:55:43 PDT 2015
Sorry for the (very) long delay…
Inside the container I get a cred->uid value of 65534 which means (if
I'm not mistaken) an UID overflow. I'm not sure if this is due to the
fact that the UID 0 is mapped on the UID 755360 for this container.
Anyway, I think that the value of cred->uid should be 0 in this case
but I'm not sure.
Here is the setup I used. My host system is a Debian Sid with LXC 1.0.7
-3. The container runs Ubuntu Utopic as I wasn't able to run Ubuntu
Vivid inside an unprivileged container. The commands I used to setup my
container to reproduce this bug are the following ones (executed under
the superuser account). The superuser account owns 65536 sub UIDs
starting at 755360.
HTTP_PROXY=apt lxc-create -B btrfs -t ubuntu -n ubuntu-utopic -- -r utopic --packages lxc,avahi-daemon,avahi-autoipd,avahi-dnsconfd,libnss-mdns
uidmapshift -b /var/lib/lxc/ubuntu-utopic/rootfs 0 755360 65536
chown 755360:755360 /var/lib/lxc/ubuntu-utopic
cat > /var/lib/lxc/ubuntu-utopic/config << EOF
# Template used to create this container: /usr/share/lxc/templates/lxc-ubuntu
# Parameters passed to the template: -r utopic --packages lxc,avahi-daemon,avahi-autoipd,avahi-dnsconfd,libnss-mdns
# For additional config options, please look at lxc.container.conf(5)
# Common configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
# Container specific configuration
lxc.rootfs = /var/lib/lxc/ubuntu-utopic/rootfs
lxc.mount = /var/lib/lxc/ubuntu-utopic/fstab
lxc.utsname = ubuntu-utopic
lxc.arch = amd64
lxc.id_map = u 0 755360 65536
lxc.id_map = g 0 755360 65536
# Network configuration
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc-start -n ubuntu-utopic
Inside the container, I rebuilt the Avahi packages to make some tests :
sed -ri 'p;s#^deb (.*)$#deb-src \1#' /etc/apt/sources.list
apt-get install dpkg-dev gdb
apt-get source avahi-daemon
apt-get build-dep avahi-daemon
dpkg-buildpackage -us -uc
dpkg -i ../*.deb
Feel free to ask me if you need more informations.
Le mercredi 01 avril 2015 à 11:25 +0800, Trent Lloyd a écrit :
> Hi Yann,
> Can you tell me what value of cred->uid you are actually getting
> inside these containers? I wonder if somehow you are getting the
> unmapped value.
> I assume that inside the container running “Id” shows 0, but outside
> the container you see it remapped to another id?
> If you can confirm the lxc version, and possibly supply a config (or
> as much info as possible) I can reproduce with, that would be great.
> > On 6 Feb 2015, at 4:23 pm, Yann Soubeyrand <
> > ysoubeyrand at adeneo-embedded.com> wrote:
> > Hi,
> > Avahi daemon doesn't work inside an unprivileged container, more
> > precisely inside a container where the uid 0 is mapped to an uid
> > other
> > than 0.
> > I identified the line where the problem occurs in the Avahi
> > sources:
> > http://git.0pointer.net/avahi.git/tree/avahi-core/netlink.c#n85.
> > I don't know if it's a bug of Avahi or if it's a bug inside the
> > kernel.
> > My guess is that it's the latter one but I'm not sure. I think that
> > the
> > kernel passes the credentials mapped to zero when it's the sender
> > of the
> > message whereas it should pass all zero credentials in this case.
> > But I
> > didn't read the code of netlink and it's purely speculation. Also,
> > I
> > wonder if it could not introduce security flaws doing so.
> > Feel free to ask me if you need further information or if you need
> > me to
> > be clearer in my explanations ;-)
> > I'm using Debian Sid as my host system (I tried 3.16 and 3.18
> > kernels)
> > and Ubuntu Vivid inside my container.
> > Cheers
-- Linux software engineer
Adeneo Embedded4 chemin du Ruisseau69130 ÉcullyFrance
+33 4 72 18 08 40
More information about the avahi