setuid executables in a container may compromise security on the host
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxc (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Precise |
Fix Released
|
Medium
|
Unassigned | ||
Quantal |
Fix Released
|
Medium
|
Unassigned | ||
Raring |
Fix Released
|
Medium
|
Unassigned | ||
Saucy |
Fix Released
|
Medium
|
Unassigned |
Bug Description
=======
1. Impact: unprivileged users could run setuid-root binaries from out-of-date containers.
2. Development fix: make /var/lib/lxc world- and group-unreadable
3. Stable fix: same as development fix
4. Test case:
sudo apt-get -y install lxc
sudo lxc-create -t ubuntu -n u1
ls /var/lib/
5. Regression potential: users who want to view container contents without being root, will now have to do so as root, or manually change the /var/lib/lxc permissions.
If I execute "/var/lib/
Now suppose that a user that has root access to the LXC container creates a flawed setuid executable. What happens is that now the host system is flawed too.
For example, I can patch the container's sudo to skip the authentication checks and then use /var/lib/
This assumes that you have both root access to the container and unprivileged access to the host. However the point is: insecure filesystem policies in a container may be source of security holes on the host system.
Of course, the same applies to capabilities too, not just the setuid/gid bits.
A possible solution to this problem would be to chmod 0700 the /var/lib/lxc directory. However doing so you lose the ability to browse files on the container from the host.
An alternative would be to tell Apparmor to deny the execution of every file contained in /var/lib/lxc. (Or at least, to deny the execution of setuid/gid/cap files, if that's possible.)
description: | updated |
Changed in lxc (Ubuntu Quantal): | |
status: | New → Fix Committed |
Changed in lxc (Ubuntu Raring): | |
status: | New → Fix Committed |
importance: | Undecided → Medium |
Changed in lxc (Ubuntu Quantal): | |
importance: | Undecided → Medium |
Changed in lxc (Ubuntu Precise): | |
importance: | Undecided → Medium |
Changed in lxc (Ubuntu Saucy): | |
importance: | Undecided → Medium |
Thanks for pointing this out. I don't believe it would be a serious loss of functionality to chmod 0700 /var/lib/lxc. I also don't feel that this is a high priority bug since, so far, we do not recommend allowing unprivileged users to use containers. So I think a regular update in trusty with SRUs to all previous releases is ok.