[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] lxc + fscaps
From:       Sebastian Krahmer <krahmer () suse ! de>
Date:       2011-08-23 9:32:09
Message-ID: 20110823093209.GA18198 () suse ! de
[Download RAW message or body]


Hi Daniel, oss-sec,

I was checking the lxc container framework for some use-cases
and found that it supports usage of containers by users.
It is installed with file caps in this case. (and a lot
of caps indeed, so actually you have almost all caps distributed
across the binaries). Particular interesting of course is
cap_dac_override and it looks like most lxc- binaries are
not really prepared to handle such cases:

linux:~> /sbin/getcap /usr/local/bin/lxc-start
/usr/local/bin/lxc-start = cap_dac_override,cap_fowner,cap_setpcap,\
cap_net_admin,cap_net_raw,cap_sys_chroot,cap_sys_admin+ep
linux:~> /usr/local/bin/lxc-start -n foo -c /etc/foo /usr/bin/id
lxc-start: failed to spawn 'foo'
linux:~> ls -la /etc/foo
-rw------- 1 jim users 0 Aug 23 09:38 /etc/foo
linux:~>

That means you have a trivial root exploit if lxc is installed for users.
There is a lxc-setuid script too but I guess that the lxc binaries
are similarily not intended for such use.
I dont know whether any distributor ships lxc with file caps, but
probably the tools need some hardening if you want to allow
lxc for users at all. I checked the latest 0.7.5 version.

regards,
Sebastian


-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@suse.de - SuSE Security Team

---
SUSE LINUX Products GmbH,
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
Maxfeldstraße 5
90409 Nürnberg
Germany

[prev in list] [next in list] [prev in thread] [next in thread]