I recently discovered that the way OpenVZ mounts /proc inside of containers by default isn't as secure as it could be (it's mounted as rw). When combined with insecure scripts on the server, this creates a vulnerability as described here:
https://www.exploit-db.com/papers/12886/
One solution to this vulnerability would be to have no insecure scripts on the server. However, failing that, it makes sense to also close this vulnerability by not having /proc insecurely mounted in the first place.
On a physical Linux machine, this vulnerability can be closed by running this:
mount -o remount,nosuid,noexec /proc
However, this does not work inside of containers. At least it doesn't anymore. It used to work under Proxmox 1.9 (vzkernel-2.6.32-042stab037.1). But, now I'm running OpenVZ under Proxmox 3.1 (vzkernel-2.6.32-042stab079.5) and I get this:
~# mount -o remount,nosuid,noexec /proc
mount: mount failed
In LXC, I noticed that /proc attributes can be specified using the lxc.mount.auto configuration option in the container config. I haven't been able to figure out how to do this in OpenVZ.
I've already tried setting the mount options from /etc/fstab inside the container, but that seems to be ignored.
Any ideas?
