Home page logo
/

oss-sec logo oss-sec mailing list archives

lxc + fscaps
From: Sebastian Krahmer <krahmer () suse de>
Date: Tue, 23 Aug 2011 11:32:09 +0200


Hi Daniel, oss-sec,

I was checking the lxc container framework for some use-cases
and found that it supports usage of containers by users.
It is installed with file caps in this case. (and a lot
of caps indeed, so actually you have almost all caps distributed
across the binaries). Particular interesting of course is
cap_dac_override and it looks like most lxc- binaries are
not really prepared to handle such cases:

linux:~> /sbin/getcap /usr/local/bin/lxc-start
/usr/local/bin/lxc-start = cap_dac_override,cap_fowner,cap_setpcap,\
cap_net_admin,cap_net_raw,cap_sys_chroot,cap_sys_admin+ep
linux:~> /usr/local/bin/lxc-start -n foo -c /etc/foo /usr/bin/id
lxc-start: failed to spawn 'foo'
linux:~> ls -la /etc/foo
-rw------- 1 jim users 0 Aug 23 09:38 /etc/foo
linux:~>

That means you have a trivial root exploit if lxc is installed for users.
There is a lxc-setuid script too but I guess that the lxc binaries
are similarily not intended for such use.
I dont know whether any distributor ships lxc with file caps, but
probably the tools need some hardening if you want to allow
lxc for users at all. I checked the latest 0.7.5 version.

regards,
Sebastian


-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer () suse de - SuSE Security Team

---
SUSE LINUX Products GmbH,
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
Maxfeldstraße 5
90409 Nürnberg
Germany


  By Date           By Thread  

Current thread:
  • lxc + fscaps Sebastian Krahmer (Aug 23)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]