[avahi] Avahi daemon doesn't work inside an unprivileged container

Trent Lloyd lathiat at bur.st
Wed Oct 14 03:17:52 PDT 2015 

Hi Yann,

Sorry for the long follow-up, I have committed a patch to 0.6.32 which I think will fix your issue here:
https://github.com/lathiat/avahi/commit/4ae755f7c9fff9efc02a76ece42a9965eacb1fbd <https://github.com/lathiat/avahi/commit/4ae755f7c9fff9efc02a76ece42a9965eacb1fbd>

This patch is currently being shipped in the Fedora 0.6.31 also.

Thanks,
Trent

> On 17 Jul 2015, at 11:55 PM, Yann Soubeyrand <ysoubeyrand at adeneo-embedded.com> wrote:
> 
> Hi Trent,
> 
> Sorry for the (very) long delay…
> 
> Inside the container I get a cred->uid value of 65534 which means (if
> I'm not mistaken) an UID overflow. I'm not sure if this is due to the
> fact that the UID 0 is mapped on the UID 755360 for this container.
> Anyway, I think that the value of cred->uid should be 0 in this case
> but I'm not sure.
> 
> Here is the setup I used. My host system is a Debian Sid with LXC 1.0.7
> -3. The container runs Ubuntu Utopic as I wasn't able to run Ubuntu
> Vivid inside an unprivileged container. The commands I used to setup my
> container to reproduce this bug are the following ones (executed under
> the superuser account). The superuser account owns 65536 sub UIDs
> starting at 755360.
> 
> HTTP_PROXY=apt lxc-create -B btrfs -t ubuntu -n ubuntu-utopic -- -r utopic --packages lxc,avahi-daemon,avahi-autoipd,avahi-dnsconfd,libnss-mdns
> uidmapshift -b /var/lib/lxc/ubuntu-utopic/rootfs 0 755360 65536
> chown 755360:755360 /var/lib/lxc/ubuntu-utopic
> cat > /var/lib/lxc/ubuntu-utopic/config << EOF
> # Template used to create this container: /usr/share/lxc/templates/lxc-ubuntu
> # Parameters passed to the template: -r utopic --packages lxc,avahi-daemon,avahi-autoipd,avahi-dnsconfd,libnss-mdns
> # For additional config options, please look at lxc.container.conf(5)
> 
> # Common configuration
> lxc.include = /usr/share/lxc/config/ubuntu.common.conf
> lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
> 
> # Container specific configuration
> lxc.rootfs = /var/lib/lxc/ubuntu-utopic/rootfs
> lxc.mount = /var/lib/lxc/ubuntu-utopic/fstab
> lxc.utsname = ubuntu-utopic
> lxc.arch = amd64
> lxc.id_map = u 0 755360 65536
> lxc.id_map = g 0 755360 65536
> 
> # Network configuration
> lxc.network.type = veth
> lxc.network.link = lxcbr0
> lxc.network.flags = up
> EOF
> lxc-start -n ubuntu-utopic
> 
> Inside the container, I rebuilt the Avahi packages to make some tests :
> 
> sudo -s
> sed -ri 'p;s#^deb (.*)$#deb-src \1#' /etc/apt/sources.list
> apt-get update
> apt-get install dpkg-dev gdb
> apt-get source avahi-daemon
> apt-get build-dep avahi-daemon
> cd avahi-0.6.31
>> dpkg-buildpackage -us -uc
> dpkg -i ../*.deb
> 
> Feel free to ask me if you need more informations.
> 
> Cheers
> 
> Yann
> 
> 
> Le mercredi 01 avril 2015 à 11:25 +0800, Trent Lloyd a écrit :
>> Hi Yann,
>> 
>> Can you tell me what value of cred->uid you are actually getting 
>> inside these containers? I wonder if somehow you are getting the 
>> unmapped value.
>> I assume that inside the container running “Id” shows 0, but outside 
>> the container you see it remapped to another id?
>> 
>> If you can confirm the lxc version, and possibly supply a config (or 
>> as much info as possible) I can reproduce with, that would be great.
>> 
>> Cheers,
>> Trent
>> 
>>> On 6 Feb 2015, at 4:23 pm, Yann Soubeyrand <
>>> ysoubeyrand at adeneo-embedded.com> wrote:
>>> 
>>> Hi,
>>> 
>>> Avahi daemon doesn't work inside an unprivileged container, more
>>> precisely inside a container where the uid 0 is mapped to an uid 
>>> other
>>> than 0.
>>> 
>>> I identified the line where the problem occurs in the Avahi 
>>> sources:
>>> http://git.0pointer.net/avahi.git/tree/avahi-core/netlink.c#n85.
>>> 
>>> I don't know if it's a bug of Avahi or if it's a bug inside the 
>>> kernel.
>>> My guess is that it's the latter one but I'm not sure. I think that 
>>> the
>>> kernel passes the credentials mapped to zero when it's the sender 
>>> of the
>>> message whereas it should pass all zero credentials in this case. 
>>> But I
>>> didn't read the code of netlink and it's purely speculation. Also, 
>>> I
>>> wonder if it could not introduce security flaws doing so.
>>> 
>>> Feel free to ask me if you need further information or if you need 
>>> me to
>>> be clearer in my explanations ;-)
>>> 
>>> I'm using Debian Sid as my host system (I tried 3.16 and 3.18 
>>> kernels)
>>> and Ubuntu Vivid inside my container.
>>> 
>>> Cheers
>>> 
>>> 
>>> 
> 
> -- Linux software engineer
> Adeneo Embedded4 chemin du Ruisseau69130 ÉcullyFrance
> +33 4 72 18 08 40
> _______________________________________________
> avahi mailing list
> avahi at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/avahi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/avahi/attachments/20151014/524f3451/attachment-0001.html>

More information about the avahi mailing list