Wrong mode on unix.socket when socket activated

Bug #1515689 reported by Stéphane Graber on 2015-11-12
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxd (Ubuntu)
Critical
Stéphane Graber
Trusty
Critical
Stéphane Graber
Wily
Critical
Marc Deslauriers
Xenial
Critical
Stéphane Graber

Bug Description

LXD uses systemd socket activation to start the daemon except at installation time where the daemon is started directly.

Systemd defaults to 0666 for its unix sockets instead of respecting umask, leading to /var/lib/lxd/unix.socket being world writable instead of being restricted to the lxd group as it should be.

The fix is simply to specify a mode of 0660 in the systemd unit.

This affects LXD in wily, xenial and trusty-backports. vivid's version is unaffected as we didn't have socket activation back then.

CVE References

Changed in lxd (Ubuntu Xenial):
status: Triaged → Fix Committed
Changed in lxd (Ubuntu Trusty):
status: New → Fix Committed
importance: Undecided → Critical
assignee: nobody → Stéphane Graber (stgraber)
Changed in lxd (Ubuntu Xenial):
assignee: nobody → Stéphane Graber (stgraber)
Changed in lxd (Ubuntu Wily):
status: New → Triaged
importance: Undecided → Critical
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in lxd (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxd - 0.20-0ubuntu4.1

---------------
lxd (0.20-0ubuntu4.1) wily-security; urgency=medium

  * SECURITY UPDATE: Fix the mode of /var/lib/lxd/unix.socket when
    socket-activated by systemd to be 0660 instead of 0666. (LP: #1515689)

 -- Marc Deslauriers <email address hidden> Thu, 12 Nov 2015 11:37:28 -0500

Changed in lxd (Ubuntu Wily):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxd - 0.22-0ubuntu2

---------------
lxd (0.22-0ubuntu2) xenial; urgency=medium

  * SECURITY UPDATE: Fix the mode of /var/lib/lxd/unix.socket when
    socket-activated by systemd to be 0660 instead of 0666. (LP: #1515689)

 -- Stéphane Graber <email address hidden> Thu, 12 Nov 2015 11:35:59 -0500

Changed in lxd (Ubuntu Xenial):
status: Fix Committed → Fix Released
Marc Deslauriers (mdeslaur) wrote :

This got CVE-2015-8222

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers