oss-sec mailing list archives
lxc + fscaps
From: Sebastian Krahmer <krahmer () suse de>
Date: Tue, 23 Aug 2011 11:32:09 +0200
Hi Daniel, oss-sec, I was checking the lxc container framework for some use-cases and found that it supports usage of containers by users. It is installed with file caps in this case. (and a lot of caps indeed, so actually you have almost all caps distributed across the binaries). Particular interesting of course is cap_dac_override and it looks like most lxc- binaries are not really prepared to handle such cases: linux:~> /sbin/getcap /usr/local/bin/lxc-start /usr/local/bin/lxc-start = cap_dac_override,cap_fowner,cap_setpcap,\ cap_net_admin,cap_net_raw,cap_sys_chroot,cap_sys_admin+ep linux:~> /usr/local/bin/lxc-start -n foo -c /etc/foo /usr/bin/id lxc-start: failed to spawn 'foo' linux:~> ls -la /etc/foo -rw------- 1 jim users 0 Aug 23 09:38 /etc/foo linux:~> That means you have a trivial root exploit if lxc is installed for users. There is a lxc-setuid script too but I guess that the lxc binaries are similarily not intended for such use. I dont know whether any distributor ships lxc with file caps, but probably the tools need some hardening if you want to allow lxc for users at all. I checked the latest 0.7.5 version. regards, Sebastian -- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer () suse de - SuSE Security Team --- SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany
Current thread:
- lxc + fscaps Sebastian Krahmer (Aug 23)