Docker https://tech.feedyourhead.at/ en Anatomy of a Linux container rootkit https://tech.feedyourhead.at/content/anatomy-of-a-linux-container-rootkit <span class="field field--name-title field--type-string field--label-hidden">Anatomy of a Linux container rootkit </span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>This year I gave a talk at the <a href="https://eh19.easterhegg.eu">Easterhegg 2019</a> about a Linux kernel rootkit that can handle containers. I mainly presented my Bachelor work from 2017 with some improvements.</p> <h2>Abstract</h2> <p>Linux Containers are becoming increasingly popular. Therefore, it is likely that there will be an increase of attacks against container systems. After successfully attacking all the security mechanisms of a container system, a “rootkit“ could be planted. This talk provides details of the anatomy of such a rootkit. First the main functions of rootkits are explained. After a brief introduction of Linux Containers and Linux Kernel Rootkits, a Kernel Rootkit called “themaster“, developed by the author of this thesis, is described and explained. Well known rootkit methods are used to implement functions to hide resources and escalate privileges. Results indicate that in container systems, patching system calls are the preferred method for functions which are globally accessible. For providing rootkit functionality in specific containers, patching the virtual file system is the better approach. A special backdoor for breaking out of the container is also applied and “themaster“ operates stealthily.</p> <h2>Talk</h2> <p><iframe allowfullscreen="" frameborder="0" height="576" src="https://media.ccc.de/v/eh19-168-anatomie-eines-containerfhigen-linux-kernel-rootkits/oembed" width="800"></iframe></p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">May 07 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/c" hreflang="en">C</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/kernel" hreflang="en">Kernel</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/docker" hreflang="en">Docker</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=277&amp;2=comment&amp;3=comment" token="A4P5IdLVLXs7imc4kAPeqdjBNNH5UZ2lfM9NktsbF-U"></drupal-render-placeholder> </section> Tue, 07 May 2019 20:03:34 +0000 Hoti 277 at https://tech.feedyourhead.at Support for vivaldi(browser) added to the multimedia-docker-container https://tech.feedyourhead.at/content/vivaldi-to-the-multimedia-docker-container <span class="field field--name-title field--type-string field--label-hidden">Support for vivaldi(browser) added to the multimedia-docker-container</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>I added the <a href="https://vivaldi.com/">Vivaldi-Browser</a> to my <a href="https://tech.feedyourhead.at/node/137">multimedia-docker-container</a>.</p> <p>Just rebuild the image:</p> <pre> <code> ./run_mm.sh build </code></pre> <p>..and then run the app:</p> <pre> <code> ./run_mm.sh vivaldi </code></pre> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Apr 02 2016</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/docker" hreflang="en">Docker</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/downloads" hreflang="en">Downloads</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/96" hreflang="en">Browser</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=172&amp;2=comment&amp;3=comment" token="M2pywU0Iu9x22R95dVfV0f0vmCKdhAJDoKPQYRB4Q2M"></drupal-render-placeholder> </section> Sat, 02 Apr 2016 14:52:39 +0000 Hoti 172 at https://tech.feedyourhead.at Docker-Container for skype and spotify https://tech.feedyourhead.at/node/137 <span class="field field--name-title field--type-string field--label-hidden"> Docker-Container for skype and spotify</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>I uploaded on<a href="https://github.com/whotwagner/multimedia-docker"> GitHub a project</a> that contains a dockerfile for building a multimedia-image. This image is based on ubuntu trusty and has google-chrome, skype, firefox and spotify pre-installed. One could use this docker-image to keep his system clean from closed-source software by seperating it using a container. Of course it is possible to run all those applications at once</p> <h2>Requirements:</h2> <ul><li>pulseaudio running on the host</li> <li>X11 running on the host</li> </ul><h2>Building the image:</h2> <p>./run_mm.sh build</p> <h2>Using the image:</h2> <h3>run spotify</h3> <p>./run_mm.sh spotify</p> <h3>run skype</h3> <p>./run_mm.sh skype</p> <h3>run a shell</h3> <p>./run_mm.sh bash</p> <h3>run firefox</h3> <p>./run_mm.sh firefox</p> <h3>run vivaldi</h3> <p>./run_mm.sh vivaldi</p> <p>It is possible to run the applications using the same container</p> <h2>Making changes permanent:</h2> <p>The configuration-files for spotify and skype are persistent. This is realized with mounted volumes in $HOME/.mymultimediaapps.</p> <h2>Known Bugs</h2> <ul><li>For some reason, spotify doesn't use the cached credentials. Therefore it always asks for login-data.</li> <li>google-chrome and vivaldi crash sometimes(for example when you call netflix)</li> </ul></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Dec 10 2015</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/downloads" hreflang="en">Downloads</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/docker" hreflang="en">Docker</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=137&amp;2=comment&amp;3=comment" token="jjnO2kYkKbWdP4KOL6hxoMXGBrhTN0iDgDYOV0EW-s8"></drupal-render-placeholder> </section> Thu, 10 Dec 2015 22:57:20 +0000 Hoti 137 at https://tech.feedyourhead.at Drupal-Dev Dockerfile https://tech.feedyourhead.at/content/drupal-dev-dockerfile <span class="field field--name-title field--type-string field--label-hidden">Drupal-Dev Dockerfile</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>This is a Dockerfile which create's a drupal development docker-image.</p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Feb 05 2015</span> <div class="field field--name-field-datei field--type-file field--label-above"> <div class="field__label">File</div> <div class="field__item"> <span class="file file--mime-application-octet-stream file--general"> <a href="https://tech.feedyourhead.at/sites/default/files/DateiUploads/Dockerfile_0.runit" type="application/octet-stream; length=3319">Dockerfile.runit</a></span> </div> </div> <div class="clearfix text-formatted field field--name-field-md5sum field--type-text field--label-above"> <div class="field__label">md5sum</div> <div class="field__item">fb7008ebd6fec1c0e2f17f182ccd9fff</div> </div> <div class="clearfix text-formatted field field--name-field-sha256sum field--type-text field--label-above"> <div class="field__label">sha256sum</div> <div class="field__item">3be2875a5cdb1637f67c3377896258c0dd972c22c5fad3f00ed253e43203f206</div> </div> <div class="field field--name-field-tags field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class="field__items"> <div class="field__item"><a href="/tags/downloads" hreflang="en">Downloads</a></div> <div class="field__item"><a href="/tags/docker" hreflang="en">Docker</a></div> </div> </div> <section class="field field--name-comment-node-download field--type-comment field--label-hidden comment-wrapper"> </section> Thu, 05 Feb 2015 18:21:30 +0000 Hoti 42 at https://tech.feedyourhead.at Docker https://tech.feedyourhead.at/content/docker <span class="field field--name-title field--type-string field--label-hidden">Docker</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><a href="http://www.docker.com"><img alt="" src="http://tech.feedyourhead.at/sites/tech.feedyourhead.at/files/pictures/docker.png" style="width: 792px; height: 269px;" /></a></p> <p>At the moment there is a great hype about "<a href="http://www.docker.com">docker</a>", even if the technique isn't new. So what's so great about it?</p> <p>I think it got popular, because it's very easy to build system-containers with it. There is also a repository where you find ready to use environments for many use cases. With a few commands,&nbsp; you can have an isolated system with all the configs you need. That's very nice. Compared to virtual machines, those containers need a minimum of resources because they share the resources with their host-machine and don't run their own kernel. And they don't need to boot, they just run when they are started. Docker implemented some kind of scripts called "Dockerfiles". Those are recipies of how images should be configured, customized and build.</p> <p>When I first heard about docker I was just thinking on developers. Now I realized how useful this tool could be for administrators too. You can use one server and serve every customer his own "linux+apache2+mysql"-system, instead of virtual hosting or chroot-ing.</p> <p>In this article i want to describe how to create a "Debian Wheezy"-Image using "debootstrap". This debianwheezy-image will be the base for our "dockerfile". The dockerfile itself will create another image called "hoti/drupal-dev". In this dockerfile we will pre-install a ssh-server,mysql-server, apache2-server, php5, drush and drupal.</p> <p>&nbsp;</p> <p>Download a Debian Wheezy Bootstrap:</p> <pre> <code> debootstrap wheezy wheezy </code></pre> <p>Our output looks like this:</p> <pre> <code> I: Configuring ifupdown... I: Configuring kmod... I: Configuring libapt-pkg4.12:amd64... I: Configuring libept1.4.12... I: Configuring libapt-inst1.5:amd64... I: Configuring libreadline6:amd64... I: Configuring logrotate... I: Configuring libboost-iostreams1.49.0... I: Configuring groff-base... I: Configuring gnupg... I: Configuring libsigc++-2.0-0c2a:amd64... I: Configuring libgnutls26:amd64... I: Configuring apt-utils... I: Configuring udev... I: Configuring iptables... I: Configuring man-db... I: Configuring apt... I: Configuring wget... I: Configuring libcwidget3... I: Configuring aptitude... I: Configuring tasksel... I: Configuring tasksel-data... I: Base system installed successfully. </code></pre> <p>Now create a docker-image:</p> <pre> <code> tar -C wheezy/ -c . | docker import - debianwheezy </code> </pre> <p>And check out that it was created successfully:</p> <pre> <code> docker images -a REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE debianwheezy latest f5c9b4660eee 18 seconds ago 218.4 MB </code> </pre> <p>Lets delete the bootstrap-files:</p> <pre> <code> rm -r debianwheezy </code> </pre> <p>Now we create a container out of our image and install the worlds best editor into it:</p> <pre> <code> docker run -it debianwheezy /bin/bash root@5c0a2b5468c1:/# apt-get update Hit http://ftp.us.debian.org wheezy Release.gpg Hit http://ftp.us.debian.org wheezy Release Hit http://ftp.us.debian.org wheezy/main amd64 Packages Get:1 http://ftp.us.debian.org wheezy/main Translation-en [3846 kB] Fetched 3846 kB in 5s (668 kB/s) Reading package lists... Done root@5c0a2b5468c1:/# apt-get install vim Reading package lists... Done Building dependency tree... Done The following extra packages will be installed: libgpm2 vim-runtime Suggested packages: gpm ctags vim-doc vim-scripts The following NEW packages will be installed: libgpm2 vim vim-runtime 0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded. Need to get 5484 kB of archives. After this operation, 24.9 MB of additional disk space will be used. Do you want to continue [Y/n]? y Get:1 http://ftp.us.debian.org/debian/ wheezy/main libgpm2 amd64 1.20.4-6 [35.8 kB] Get:2 http://ftp.us.debian.org/debian/ wheezy/main vim-runtime all 2:7.3.547-7 [4607 kB] Get:3 http://ftp.us.debian.org/debian/ wheezy/main vim amd64 2:7.3.547-7 [841 kB] Fetched 5484 kB in 7s (711 kB/s) Selecting previously unselected package libgpm2:amd64. (Reading database ... 9308 files and directories currently installed.) Unpacking libgpm2:amd64 (from .../libgpm2_1.20.4-6_amd64.deb) ... Selecting previously unselected package vim-runtime. Unpacking vim-runtime (from .../vim-runtime_2%3a7.3.547-7_all.deb) ... Adding 'diversion of /usr/share/vim/vim73/doc/help.txt to /usr/share/vim/vim73/doc/help.txt.vim-tiny by vim-runtime' Adding 'diversion of /usr/share/vim/vim73/doc/tags to /usr/share/vim/vim73/doc/tags.vim-tiny by vim-runtime' Selecting previously unselected package vim. Unpacking vim (from .../vim_2%3a7.3.547-7_amd64.deb) ... Processing triggers for man-db ... Setting up libgpm2:amd64 (1.20.4-6) ... Setting up vim-runtime (2:7.3.547-7) ... Processing /usr/share/vim/addons/doc Setting up vim (2:7.3.547-7) ... update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/vim (vim) in auto mode update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/vimdiff (vimdiff) in auto mode update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/rvim (rvim) in auto mode update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/rview (rview) in auto mode update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/vi (vi) in auto mode update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/view (view) in auto mode update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/ex (ex) in auto mode root@5c0a2b5468c1:/# exit </code> </pre> <p>With "exit" we stopped the container and returned back to our system. Now let's check the state of our container:</p> <pre> <code> docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 5c0a2b5468c1 debianwheezy:latest "/bin/bash" 3 minutes ago Exited (0) 45 seconds ago clever_almeida </code> </pre> <p>Now let's commit our changes into our debianwheezy image so that we have a debianwheezy image with vim pre-installed:</p> <pre> <code> docker commit -m "vim installed" 5c0a2b5468c1 debianwheezy:latest 4b4f8b6f115b042f1d4ed5dcbb3d607e63316f33d6004a43ac994a8c4c99bfc1 </code></pre> <p>We can remove our container and create a new one to check if vim is installed:</p> <pre> <code> docker rm 5c0a2b5468c1 5c0a2b5468c1 </code></pre> <pre> <code> docker run -it debianwheezy:latest /bin/bash root@54bfa48a9ac0:/# apt-get install vim Reading package lists... Done Building dependency tree Reading state information... Done vim is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. root@54bfa48a9ac0:/# </code> </pre> <p>Since this worked well, we can now stop and remove this container:</p> <pre> <code> docker stop 54bfa48a9ac0 docker rm 54bfa48a9ac0 </code> </pre> <p>Finally it's time for our dockerfile(i borrowed the file from https://www.debian-administration.org/article/698/Automating_the_creation_of_docker_images):</p> <pre> <code lang="nohighlight"> # # Simple dockerfile for an ssh + server. # # Source: https://www.debian-administration.org/article/698/Automating_the_creation_of_docker_images # # Hoti # -- # # # From this base-image / starting-point # FROM debianwheezy # # Authorship # MAINTAINER hoti # # Update apt # RUN DEBIAN_FRONTEND=noninteractive apt-get update -q -q RUN DEBIAN_FRONTEND=noninteractive apt-get upgrade --yes --force-yes # # Install utitiles # RUN DEBIAN_FRONTEND=noninteractive apt-get install curl git less sudo screen --yes --force-yes # # Install runit # RUN DEBIAN_FRONTEND=noninteractive apt-get install runit --yes --force-yes # # Install SSH # RUN DEBIAN_FRONTEND=noninteractive apt-get install openssh-server openssh-client --yes --force-yes # # Install MySQL # RUN DEBIAN_FRONTEND=noninteractive apt-get install mysql-server --yes --force-yes # # Install Apache2 + php5 # RUN DEBIAN_FRONTEND=noninteractive apt-get install apache2 php5 php5-cli php5-mysql php5-gd --yes --force-yes # # Setup a root password; simple enough to remember, but hard enough that # it won't be cracked immediately. (ha!) # RUN echo "root:toor" | chpasswd # # Expose the SSH port # EXPOSE 22 # # Expose the Apache2 port # EXPOSE 80 # # Now make sure that runit will launch SSHD, via runit. # # NOTE: Remember runit will launch /etc/service/sshd/run # RUN mkdir /etc/service/sshd RUN /bin/echo -e '#!/bin/sh' &gt; /etc/service/sshd/run RUN /bin/echo -e 'exec /usr/sbin/sshd -D' &gt;&gt; /etc/service/sshd/run RUN mkdir /etc/service/mysqld RUN /bin/echo -e '#!/bin/sh' &gt; /etc/service/mysqld/run RUN /bin/echo -e 'exec mysqld_safe &amp;' &gt;&gt; /etc/service/mysqld/run RUN mkdir /etc/service/apache2 RUN /bin/echo -e '#!/bin/sh' &gt; /etc/service/apache2/run RUN /bin/echo -e 'exec apachectl start' &gt;&gt; /etc/service/apache2/run # # Make sure our run-script is executable. # RUN chown root.root /etc/service/sshd/run RUN chmod 755 /etc/service/sshd/run RUN chown root.root /etc/service/mysqld/run RUN chmod 755 /etc/service/mysqld/run RUN chown root.root /etc/service/apache2/run RUN chmod 755 /etc/service/apache2/run # # Install composer + drush # RUN curl -sS https://getcomposer.org/installer | php RUN mv composer.phar /usr/local/bin/composer RUN chown root.root /usr/local/bin/composer RUN chmod 755 /usr/local/bin/composer RUN composer global require drush/drush:dev-master RUN ln -s /root/.composer/vendor/drush/drush/drush /usr/local/bin/drush RUN ln -s /root/.composer/vendor/drush/drush/drush.complete.sh /etc/bash_completion.d/ RUN mkdir /etc/drush RUN mkdir /var/www/drupal RUN echo '<!--?php' -->&gt; /etc/drush/drushrc.php RUN echo '$options['r'] = '/var/www/drupal';' &gt;&gt; /etc/drush/drushrc.php RUN cd /var/www &amp;&amp; git clone --branch 7.x http://git.drupal.org/project/drupal.git RUN cd /var/www/drupal/sites/default &amp;&amp; mkdir /var/www/drupal/sites/default/files &amp;&amp; cp default.settings.php settings.php # RUN mysqladmin -uroot create drupal RUN chown www-data /var/www/drupal/sites/default/files RUN chown www-data /var/www/drupal/sites/default/settings.php RUN a2enmod rewrite # # Finally launch runit. # ENTRYPOINT ["/usr/sbin/runsvdir-start"] </code> </pre> <p><a href="http://tech.feedyourhead.at/content/drupal-dev-dockerfile">Download the Dockerfile here.</a></p> <p>Build the image using the Dockerfile:</p> <pre> <code lang="nohighlight"> docker build -t=hoti/drupal-dev - &lt; Dockerfile.runit </code> </pre> <p>.. And create an container-instance:</p> <pre> <code> docker run -d -p 1122:22 -p 1180:80 hoti/drupal-dev </code> </pre> <p>Now we can connect via ssh:</p> <pre> <code> ssh root@localhost -p 1122 </code> </pre> <p>..Or using a browser:</p> <pre> <code> http://localhost:1180/drupal </code> </pre> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Nov 22 2014</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/docker" hreflang="en">Docker</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/drupal" hreflang="en">Drupal</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=18&amp;2=comment&amp;3=comment" token="nAj2keyfEt4_0fyhSgew93ONC0o92AbyNwt55od7XmU"></drupal-render-placeholder> </section> Sat, 22 Nov 2014 18:11:51 +0000 Hoti 18 at https://tech.feedyourhead.at