Creating VZFS Symlinks Inside a ContainerNormally it is impossible to create a VZFS symlink from a Container. The ability to create VZFS symlinks presents a serious security concern explained further in this subsection. However, there may be a situation when you need such an ability, for example, for testing created templates or creating VZFS mounts. A VZFS symlink is a symbolic link starting with four slashes. You can see VZFS symlinks in the private area of any Container, as is illustrated below: # ls -l /vz/private/101/root/bin/bash lrwxr-xr-x 1 root root 37 Jul 9 2008 \ /vz/private/101/root/bin/bash -> \ ////redhat-as4/bash-3.0-19.2/bin/bash
VZFS symlinks have no special meaning if the private area is not mounted over VZFS (to the Container root directory). If it is, then instead of a VZFS symlink the users inside the Container will see the file located in the template directory (in this particular case,
If you try to create a VZFS symlink inside the Container, you will get an error: [root@ct101 root]# ln -s ////redhat-as4/bash-3.0-19-2/bin/bash . ln: creating symbolic link `./bash' to \ `////redhat-as4/bash-3.0-19.2/bin/bash': Invalid argument
The reason for this restriction is security considerations. If an intruder can correctly guess where the template area (defined by the
# vzctl set 101 --capability sys_rawio:on --save Unable to set capability on running Container Saved parameters for Container 101 After restarting the Container, you can unpack VZRPMs inside the Container or simply create VZFS symlinks: # ssh root@ct101 root@ct101's password: Last login: Mon Oct 28 23:25:58 2008 from 10.100.40.18 [root@ct101 root]# rpm2cpio bash-3.0-19.2.i386.vz.rpm | cpio -id 94 blocks [root@ct101 root]# ls -l bin/bash -rwxr-xr-x 1 root root 519964 Oct 29 23:35 bin/bash [root@ct101 root]# ln -s ////redhat-as4/bash-3.0-19.2/bin/bash . [root@ct101 root]# ls -l bash -rwxrwxrwx 1 root root 519964 Oct 29 23:35 bash As you can see both VZFS symlinks look like regular files for Container users. If you need to unpack and work on symlinks themselves, you have to create a Container that has a directory bind-mounted over a regular file system such as EXT2FS, EXT3FS or ReiserFS. Remember that assigning this capability to non-trusted Containers can lead to compromising the server. The session below shows how a malicious Container administrator can get a copy of the server password database files: [root@ct101 root]# ln -s ////../../etc/passwd . [root@ct101 root]# ln -s ////../../etc/shadow . [root@ct101 root]# ls -l total 3 -rwxrwxrwx 1 root root 1252 Oct 29 23:56 passwd -rwxrwxrwx 1 root root 823 Oct 29 23:56 shadow While there is no easy way to substitute the password files on the server, a malicious Container administrator could run a dictionary attack against the obtained files. |
||||
|