OpenVZ rescue console
- Thread starter SpeedBus
- Start date
Is it for client-area or administrative access?
I should really look into this also. As much as I like the SolusVM SSH wrapper method, it's about time I come up with my own solution. I'll update this thread if I figure something out (ideally if somebody has a good method please post it here so I can be lazy). 
Something like:
https://code.google.com/p/ovz-web-panel/issues/detail?id=213
"4. Execute on server command: /usr/bin/vncterm -rfbport 5900 -passwdfile rm:/tmp/.vncpwfile.#### -timeout 1 -c /usr/sbin/vzctl enter <VEID>"
?
https://code.google.com/p/ovz-web-panel/issues/detail?id=213
"4. Execute on server command: /usr/bin/vncterm -rfbport 5900 -passwdfile rm:/tmp/.vncpwfile.#### -timeout 1 -c /usr/sbin/vzctl enter <VEID>"
?
Mohammed H
New Member
Hello,
this is just an idea not sure if its a secure method or not (it can be extended as long as you know bash) :
on Node :
useradd -d console-user
passwd console-user
create file /home/console-user/enter.sh with below content :
#!/bin/bash
exec sudo /usr/sbin/vzctl enter Container-ID
now add root powers to that user to execute vzctl via sudo
visudo
and add
console-user ALL=(ALL) NOPASSWD: /usr/sbin/vzctl
last thing
chmod 755 /home/console-user/enter.sh
usermod -s /home/console-user/enter.sh console-user
now when you login with console-user you will enter to VPS with Container-Id (specified in our enter.sh) as root .
Highest Regards
Mohammed H
this is just an idea not sure if its a secure method or not (it can be extended as long as you know bash) :
on Node :
useradd -d console-user
passwd console-user
create file /home/console-user/enter.sh with below content :
#!/bin/bash
exec sudo /usr/sbin/vzctl enter Container-ID
now add root powers to that user to execute vzctl via sudo
visudo
and add
console-user ALL=(ALL) NOPASSWD: /usr/sbin/vzctl
last thing
chmod 755 /home/console-user/enter.sh
usermod -s /home/console-user/enter.sh console-user
now when you login with console-user you will enter to VPS with Container-Id (specified in our enter.sh) as root .
Highest Regards
Mohammed H
Last edited by a moderator:
Does anyone have a guide for installing vncterm? I looked at the GitHub repo but couldn't find any guides.
@Mohammed H Sounds interesting, will test it soon.
@Mohammed H Sounds interesting, will test it soon.
lbft
New Member
Don't forget that the user can do other stuff that you don't necessarily want with ssh, e.g. tunnelling traffic through the server with SSH port forwarding or SOCKS proxying (including bypassing bandwidth limits, obscuring the source of attack traffic and accessing any resources on your internal network that are restricted to the server's IP.)
So make sure, if you go that way, that you properly configure your SSH daemon so that console users don't have access to anything you don't want (e.g. AllowTcpForwarding no, etc.)
So make sure, if you go that way, that you properly configure your SSH daemon so that console users don't have access to anything you don't want (e.g. AllowTcpForwarding no, etc.)
Last edited by a moderator:
I don't see that being a secure method unfortunately.
chroot jail may be worth investigating, though there's also lots of issues with it too... :/
Last edited by a moderator:
Mohammed H
New Member
Hi there,
I already stated that . but still I didn't find anyway to exploit it till now. the only issue I can think of is if vzctl itself have privilege escalation problem . and that is vendor problem not the mentioned idea problem.
@lbft very true . thanks
Highest Regards
Mohammed H
The main issue I see is that the user logging in - has permissions to run vzctl as superuser. If there's even the slightest flaw -- they've now got full access to all clients on the node's VPS.
Last edited by a moderator:
Mohammed H
New Member
@Flapadar
I checked the c code of (vzctl enter) its using linux fork() function to fork a new pid with its own allocated memory.
I can assume its very safe to use it since the ssh session will die once that pid dies or exit. there is no way I'm aware of to exit that fork and back to node as the logged user and have the ability to use vzctl to get full access.
also I tried many scenarios (if container does not exist, if container is down, if container is suspended, etc ...) the ssh session will just die when there is no fork . (thanks to bash exec) .
Highest Regards
Mohammed H
I checked the c code of (vzctl enter) its using linux fork() function to fork a new pid with its own allocated memory.
I can assume its very safe to use it since the ssh session will die once that pid dies or exit. there is no way I'm aware of to exit that fork and back to node as the logged user and have the ability to use vzctl to get full access.
also I tried many scenarios (if container does not exist, if container is down, if container is suspended, etc ...) the ssh session will just die when there is no fork . (thanks to bash exec) .
Highest Regards
Mohammed H
I was playing around with this tonight and the best I could come up with was an SSH wrapper (similar to SolusVM's and @Mohammed H's suggestion).
Here's the code in case anybody wants to take a look:
/usr/bin/openvz
/usr/bin/openvzenter
Command to add user:
Snipper from /etc/passwd:
Snippet from /etc/sudoers:
Here's the code in case anybody wants to take a look:
/usr/bin/openvz
Code:
#!/bin/bash
USERNAME=`whoami`
CTID=`whoami | sed -r 's/^.{4}//'`
CTCONF="/etc/vz/conf/$CTID.conf"
if [ $CTID -gt 100 ] && [ -f "$CTCONF" ]; then
/usr/bin/sudo /usr/bin/openvzenter $CTID
else
echo -e "Invalid VPS."
exit 0
fi/usr/bin/openvzenter
Code:
/usr/sbin/vzctl enter $1Command to add user:
Code:
adduser -G openvzusers -s /usr/bin/openvz user101Snipper from /etc/passwd:
Code:
user101:x:511:512::/home/user101:/usr/bin/openvzSnippet from /etc/sudoers:
Code:
%openvzusers ALL = NOPASSWD: /usr/bin/openvzenter