*** This bug is a security vulnerability *** Public security bug reported:
If I execute "/var/lib/lxc/NAME/rootfs/usr/bin/sudo -i" on the host system, it works exactly like "/usr/bin/sudo -i". Now suppose that a user that has root access to the LXC container creates a flawed setuid executable. What happens is that now the host system is flawed too. For example, I can patch the container's sudo to skip the authentication checks and then use /var/lib/lxc/NAME/rootfs/usr/bin/sudo from the host to gain root privileges. This assumes that you have both root access to the container and unprivileged access to the host. However the point is: insecure filesystem policies in a container may be source of security holes on the host system. Of course, the same applies to capabilities too, not just the setuid/gid bits. A possible solution to this problem would be to chmod 0700 the /var/lib/lxc directory. However doing so you lose the ability to browse files on the container from the host. An alternative would be to tell Apparmor to deny the execution of every file contained in /var/lib/lxc. (Or at least, to deny the execution of setuid/gid/cap files, if that's possible.) ** Affects: lxc (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1244635 Title: setuid executables in a container may compromise security on the host To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1244635/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs