[Bug 1244635] [NEW] setuid executables in a container may compromise security on the host

[Andrea Corbellini]

*** This bug is a security vulnerability ***

Public security bug reported:

If I execute "/var/lib/lxc/NAME/rootfs/usr/bin/sudo -i" on the host
system, it works exactly like "/usr/bin/sudo -i".

Now suppose that a user that has root access to the LXC container
creates a flawed setuid executable. What happens is that now the host
system is flawed too.

For example, I can patch the container's sudo to skip the authentication
checks and then use /var/lib/lxc/NAME/rootfs/usr/bin/sudo from the host
to gain root privileges.

This assumes that you have both root access to the container and
unprivileged access to the host. However the point is: insecure
filesystem policies in a container may be source of security holes on
the host system.

Of course, the same applies to capabilities too, not just the setuid/gid
bits.

A possible solution to this problem would be to chmod 0700 the
/var/lib/lxc directory. However doing so you lose the ability to browse
files on the container from the host.

An alternative would be to tell Apparmor to deny the execution of every
file contained in /var/lib/lxc. (Or at least, to deny the execution of
setuid/gid/cap files, if that's possible.)

** Affects: lxc (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1244635

Title:
  setuid executables in a container may compromise security on the host

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1244635/+subscriptions