[Bug 1244635] Re: setuid executables in a container may compromise security on the host

Serge Hallyn 1244635 at bugs.launchpad.net
Mon Oct 28 20:30:00 UTC 2013 

** Also affects: lxc (Ubuntu Quantal)
   Importance: Undecided
       Status: New

** Description changed:

+ ==================================
+ 1. Impact: unprivileged users could run setuid-root binaries from out-of-date containers.
+ 2. Development fix: make /var/lib/lxc world- and group-unreadable
+ 3. Stable fix: same as development fix
+ 4. Test case:
+       sudo apt-get -y install lxc
+       sudo lxc-create -t ubuntu -n u1
+       ls /var/lib/lxc/u1/rootfs/bin/passwd
+ 5. Regression potential: users who want to view container contents without being root, will now have to do so as root, or manually change the /var/lib/lxc permissions.
+ 
  If I execute "/var/lib/lxc/NAME/rootfs/usr/bin/sudo -i" on the host
  system, it works exactly like "/usr/bin/sudo -i".
  
  Now suppose that a user that has root access to the LXC container
  creates a flawed setuid executable. What happens is that now the host
  system is flawed too.
  
  For example, I can patch the container's sudo to skip the authentication
  checks and then use /var/lib/lxc/NAME/rootfs/usr/bin/sudo from the host
  to gain root privileges.
  
  This assumes that you have both root access to the container and
  unprivileged access to the host. However the point is: insecure
  filesystem policies in a container may be source of security holes on
  the host system.
  
  Of course, the same applies to capabilities too, not just the setuid/gid
  bits.
  
  A possible solution to this problem would be to chmod 0700 the
  /var/lib/lxc directory. However doing so you lose the ability to browse
  files on the container from the host.
  
  An alternative would be to tell Apparmor to deny the execution of every
  file contained in /var/lib/lxc. (Or at least, to deny the execution of
  setuid/gid/cap files, if that's possible.)

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1244635

Title:
  setuid executables in a container may compromise security on the host

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1244635/+subscriptions

More information about the Ubuntu-server-bugs mailing list