Security bugfix in lxc-sshd template: add ro to the init-script
Bug #1261045 reported by
usrflo
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxc (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Precise |
Won't Fix
|
Medium
|
Unassigned | ||
Quantal |
Won't Fix
|
Medium
|
Unassigned | ||
Raring |
Won't Fix
|
Medium
|
Unassigned | ||
Saucy |
Fix Released
|
Medium
|
Unassigned | ||
Trusty |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Being logged in inside a container that was created with the lxc-sshd template the mount of $rootfs/sbin/init allows to modify the init script of the container. So harm could be done to the host system at the next execution of lxc-start or lxc-create -t sshd. This can be used to gain root access since lxc is likely to be run by root.
-lxc.mount.
+lxc.mount.
CVE References
information type: | Private Security → Public Security |
Changed in lxc (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in lxc (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in lxc (Ubuntu Quantal): | |
status: | New → Confirmed |
Changed in lxc (Ubuntu Raring): | |
status: | New → Confirmed |
Changed in lxc (Ubuntu Saucy): | |
status: | New → Confirmed |
Changed in lxc (Ubuntu Trusty): | |
status: | Confirmed → Fix Released |
Changed in lxc (Ubuntu Precise): | |
importance: | Undecided → Medium |
Changed in lxc (Ubuntu Quantal): | |
importance: | Undecided → Medium |
Changed in lxc (Ubuntu Raring): | |
importance: | Undecided → Medium |
Changed in lxc (Ubuntu Saucy): | |
importance: | Undecided → Medium |
Changed in lxc (Ubuntu Raring): | |
status: | Confirmed → Won't Fix |
Changed in lxc (Ubuntu Quantal): | |
status: | Confirmed → Won't Fix |
Changed in lxc (Ubuntu Precise): | |
status: | Confirmed → Won't Fix |
To post a comment you must log in.
I re-checked in detail, the execution of lxc-start is unproblematic since the init script is run inside the container.
But the execution of lxc-create -t sshd for the next container can be exploited.
Please correct in my bug report:
>>>
... So harm could be done to the host system at the next execution of lxc-create -t sshd.
<<<
For your re-test:
1) add "echo I am `id` on `hostname`" to the template lxc-sshd
2) exploit: /usr/lib/ lxc/templates# lxc-create -n ssh2 -t sshd
root@agiadm:
No config file specified, using the default config
I am uid=0(root) gid=0(root) Gruppen=0(root) on agiadm
...
'sshd' template installed
'ssh2' created
3) no problem: /usr/lib/ lxc/templates# lxc-start -n ssh2 lxc/lxc- init ist /usr/lib/ lxc/lxc- init
root@agiadm:
I am uid=0(root) gid=0(root) Gruppen=0(root) on ssh2
/usr/lib/