[Bug 1244635] Re: setuid executables in a container may compromise security on the host

Serge Hallyn Mon, 28 Oct 2013 13:42:26 -0700

** Also affects: lxc (Ubuntu Quantal)
   Importance: Undecided
       Status: New


** Description changed:

+ ==================================
+ 1. Impact: unprivileged users could run setuid-root binaries from out-of-date 
containers.
+ 2. Development fix: make /var/lib/lxc world- and group-unreadable
+ 3. Stable fix: same as development fix
+ 4. Test case:
+       sudo apt-get -y install lxc
+       sudo lxc-create -t ubuntu -n u1
+       ls /var/lib/lxc/u1/rootfs/bin/passwd
+ 5. Regression potential: users who want to view container contents without 
being root, will now have to do so as root, or manually change the /var/lib/lxc 
permissions.
+ 
  If I execute "/var/lib/lxc/NAME/rootfs/usr/bin/sudo -i" on the host
  system, it works exactly like "/usr/bin/sudo -i".
  
  Now suppose that a user that has root access to the LXC container
  creates a flawed setuid executable. What happens is that now the host
  system is flawed too.
  
  For example, I can patch the container's sudo to skip the authentication
  checks and then use /var/lib/lxc/NAME/rootfs/usr/bin/sudo from the host
  to gain root privileges.
  
  This assumes that you have both root access to the container and
  unprivileged access to the host. However the point is: insecure
  filesystem policies in a container may be source of security holes on
  the host system.
  
  Of course, the same applies to capabilities too, not just the setuid/gid
  bits.
  
  A possible solution to this problem would be to chmod 0700 the
  /var/lib/lxc directory. However doing so you lose the ability to browse
  files on the container from the host.
  
  An alternative would be to tell Apparmor to deny the execution of every
  file contained in /var/lib/lxc. (Or at least, to deny the execution of
  setuid/gid/cap files, if that's possible.)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1244635

Title:
  setuid executables in a container may compromise security on the host

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1244635/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1244635] Re: setuid executables in a container may compromise security on the host

Reply via email to