Security bugfix in lxc-sshd template: add ro to the init-script
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| lxc (Ubuntu) |
Medium
|
Unassigned | ||
| Precise |
Medium
|
Unassigned | ||
| Quantal |
Medium
|
Unassigned | ||
| Raring |
Medium
|
Unassigned | ||
| Saucy |
Medium
|
Unassigned | ||
| Trusty |
Medium
|
Unassigned |
Bug Description
Being logged in inside a container that was created with the lxc-sshd template the mount of $rootfs/sbin/init allows to modify the init script of the container. So harm could be done to the host system at the next execution of lxc-start or lxc-create -t sshd. This can be used to gain root access since lxc is likely to be run by root.
-lxc.mount.
+lxc.mount.
CVE References
usrflo (sager) wrote : | #1 |
usrflo (sager) wrote : | #2 |
Please be aware that the sshd template creates config files inside /var/lib/
> lxc.mount.
These configs have to be patched besides the template itself.
information type: | Private Security → Public Security |
Changed in lxc (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in lxc (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in lxc (Ubuntu Quantal): | |
status: | New → Confirmed |
Changed in lxc (Ubuntu Raring): | |
status: | New → Confirmed |
Changed in lxc (Ubuntu Saucy): | |
status: | New → Confirmed |
Changed in lxc (Ubuntu Trusty): | |
status: | Confirmed → Fix Released |
Changed in lxc (Ubuntu Precise): | |
importance: | Undecided → Medium |
Changed in lxc (Ubuntu Quantal): | |
importance: | Undecided → Medium |
Changed in lxc (Ubuntu Raring): | |
importance: | Undecided → Medium |
Changed in lxc (Ubuntu Saucy): | |
importance: | Undecided → Medium |
Launchpad Janitor (janitor) wrote : | #3 |
This bug was fixed in the package lxc - 1.0.0~alpha1-
---------------
lxc (1.0.0~
* SECURITY UPDATE: privilege escalation via sshd template (LP: #1261045)
- debian/
read-write in templates/
- CVE-2013-6441
-- Marc Deslauriers <email address hidden> Thu, 16 Jan 2014 08:55:20 -0500
Changed in lxc (Ubuntu Saucy): | |
status: | Confirmed → Fix Released |
Changed in lxc (Ubuntu Raring): | |
status: | Confirmed → Won't Fix |
Changed in lxc (Ubuntu Quantal): | |
status: | Confirmed → Won't Fix |
Changed in lxc (Ubuntu Precise): | |
status: | Confirmed → Won't Fix |
I re-checked in detail, the execution of lxc-start is unproblematic since the init script is run inside the container.
But the execution of lxc-create -t sshd for the next container can be exploited.
Please correct in my bug report:
>>>
... So harm could be done to the host system at the next execution of lxc-create -t sshd.
<<<
For your re-test:
1) add "echo I am `id` on `hostname`" to the template lxc-sshd
2) exploit: /usr/lib/ lxc/templates# lxc-create -n ssh2 -t sshd
root@agiadm:
No config file specified, using the default config
I am uid=0(root) gid=0(root) Gruppen=0(root) on agiadm
...
'sshd' template installed
'ssh2' created
3) no problem: /usr/lib/ lxc/templates# lxc-start -n ssh2 lxc/lxc- init ist /usr/lib/ lxc/lxc- init
root@agiadm:
I am uid=0(root) gid=0(root) Gruppen=0(root) on ssh2
/usr/lib/