Having fun with containers

Not really having anything specific to do yesterday, I chose to have a bit of fun with sandbox.

I ended up installing a completely clean Ubuntu 10.10 in a VM with just an ssh server running.
I then installed sanbox from my PPA and appended the following line to my /etc/ssh/sshd_config:

ForceCommand sudo /usr/bin/sandbox -c "$SSH_ORIGINAL_COMMAND"

And this one to /etc/sudoers:

ALL ALL=NOPASSWD: /usr/bin/sandbox

Then restarted sshd.

The result is that any incoming ssh connection will be sent to its own sandbox with no direct access to the disk, no network available and won’t be able to see other user’s processes.
Connecting twice over SSH will give you two shells which won’t be able to see each other.

About Stéphane Graber

Project leader of Linux Containers, Linux hacker, Ubuntu core developer, conference organizer and speaker.
This entry was posted in LXC, Planet Revolution-Linux, Planet Ubuntu, Sandbox and tagged . Bookmark the permalink.

3 Responses to Having fun with containers

  1. foo says:

    Um, that is a *VERY* insecure sudo configuration. It allows any user to run any command as any other user (inc root) without a password.

    1. Hi,

      Indeed, the sudoers config was a bit insecure, I updated the example so people reading the post won’t do it on their machine without having a specific use for it.

      In my case (my VM), it wasn’t as much of a problem as only SSH access was allowed and anyone connecting was forced into a container.
      So they indeed were granted root access in their container but couldn’t modify anything on the “host” unless they have some non-ssh access.

      Anyway, thanks for reporting it.

  2. Ikem says:

    > I then installed _sandbox_ from my PPA

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.