Comment 35 for bug 1783591
Revision history for this message
| Christian Brauner (cbrauner) wrote Re: [Bug 1783591] Re: lxc-user-nic allows unprivileged users to open arbitrary files | #35 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
On Sun, Aug 05, 2018 at 03:19:45PM -0000, Thomas Deutschmann wrote:
> @Christian: Something is weird with the stable-2.0 patch. It applies
> cleanly, but doesn't compile because it refers to LXC_PROC_PID_FD_LEN
> which doesn't exist and isn't added to the patch, so the code doesn't
> compile. I can fix the build by adding this line in utils.h:
>
> #define LXC_PROC_PID_FD_LEN (6 + LXC_NUMSTRLEN64 + 4 + LXC_NUMSTRLEN64 +
> 1)
Yeah, this was in my backport queue. I just cherry picked the patch to
support LXC_PROC_PID_FD_LEN to stable-2.0 now:
https:/
So it should work fine now.
Thanks for the report!
Christian
>
> --
> You received this bug notification because you are a member of Ubuntu
> Container Security team, which is subscribed to the bug report.
> https:/
>
> Title:
> lxc-user-nic allows unprivileged users to open arbitrary files
>
> Status in lxc package in Ubuntu:
> Triaged
> Status in lxc source package in Xenial:
> Triaged
> Status in lxc source package in Bionic:
> Triaged
> Status in lxc source package in Cosmic:
> Triaged
>
> Bug description:
> Matthias Gerstner from SUSE reported the following:
>
> ```
> Hello,
>
> following the lxc security reporting guidelines [1] I am reporting a
> finding in the lxc-user-nic setuid binary. I'm encrypting this mail as a
> best practice and because I found valid GPG keys for all of your
> adresses. Please find my public key attached to this mail.
>
> In the context of an openSUSE security audit of the lxc-user-nic setuid
> binary [2] (currently private bug) I came across an issue that should be
> adressed. In the "delete" case the program runs the following piece of
> code unconditionally with effective uid 0 (from lxc_user_nic.c):
>
> ```
> } else if (request == LXC_USERNIC_DELETE) {
> netns_fd = open(args.pid, O_RDONLY);
> if (netns_fd < 0) {
> usernic_
> strerror(errno));
> exit(EXIT_FAILURE);
> }
> }
> ```
>
> `args.pid` is a user controlled parameter and can be an arbitrary path
> at the moment. Nothing is done with this file descriptor later on in the
> program except an attempt at `setns(fd, CLONE_NEWNET)` in
> `is_privileged_
> of the setuid binary to achieve the following:
>
> - it can test for existence of files normally not accessible to the
> caller (information leak). Example:
> ```
> # this file is existing
> $ /usr/lib/
> lxc_user_nic.c: 1017: is_privileged_
> lxc_user_nic.c: 1161: main: Process is not privileged over network namespace
>
> # this file is not existing
> $ /usr/lib/
> lxc_user_nic.c: 1130: main: Could not open "/root/
> ```
>
> - it allows to trigger code paths in the kernel that are normally not
> accessible to the caller. This can happen when opening special files
> like character and block devices or files in /proc or /sys. Opening
> some of these files can cause lock or alloc operations or even more
> complex things to happen like when opening /dev/ptmx, which causes the
> allocation of a new master/slave pseudo terminal. Therefore this can
> lead to DoS like situations or have further unspecified impact.
>
> For fixing this I suggest opening the file supplied in `args.pid` only
> with the permissions of the real user, since this is already done in
> `is_privileged_
> normalization of the input path and then only allowing a path of the
> pattern /proc/<pid>/ns/net.
>
> [1] https:/
> [2] https:/
>
> Best regards
>
> Matthias
> ```
>
> To manage notifications about this bug go to:
> https:/