group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #25851
[Bug 1783591] Re: lxc-user-nic allows unprivileged users to open arbitrary files
One can still test existence of files with those patches, but I guess
this was explicitly not part of the fixes?
** Bug watch added: Debian Bug tracker #905586
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905586
** Also affects: lxc (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905586
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1783591
Title:
lxc-user-nic allows unprivileged users to open arbitrary files
Status in lxc package in Ubuntu:
Fix Released
Status in lxc source package in Xenial:
Triaged
Status in lxc source package in Bionic:
Fix Released
Status in lxc source package in Cosmic:
Fix Released
Status in lxc package in Debian:
Unknown
Bug description:
Matthias Gerstner from SUSE reported the following:
```
Hello,
following the lxc security reporting guidelines [1] I am reporting a
finding in the lxc-user-nic setuid binary. I'm encrypting this mail as a
best practice and because I found valid GPG keys for all of your
adresses. Please find my public key attached to this mail.
In the context of an openSUSE security audit of the lxc-user-nic setuid
binary [2] (currently private bug) I came across an issue that should be
adressed. In the "delete" case the program runs the following piece of
code unconditionally with effective uid 0 (from lxc_user_nic.c):
```
} else if (request == LXC_USERNIC_DELETE) {
netns_fd = open(args.pid, O_RDONLY);
if (netns_fd < 0) {
usernic_error("Could not open \"%s\": %s\n", args.pid,
strerror(errno));
exit(EXIT_FAILURE);
}
}
```
`args.pid` is a user controlled parameter and can be an arbitrary path
at the moment. Nothing is done with this file descriptor later on in the
program except an attempt at `setns(fd, CLONE_NEWNET)` in
`is_privileged_over_netns()`. Still this allows the unprivileged caller
of the setuid binary to achieve the following:
- it can test for existence of files normally not accessible to the
caller (information leak). Example:
```
# this file is existing
$ /usr/lib/lxc/lxc-user-nic delete path name /root/.bash_history type bridge nic
lxc_user_nic.c: 1017: is_privileged_over_netns: Failed to setns() to network namespace Invalid argument
lxc_user_nic.c: 1161: main: Process is not privileged over network namespace
# this file is not existing
$ /usr/lib/lxc/lxc-user-nic delete path name /root/.zsh_history type bridge nic
lxc_user_nic.c: 1130: main: Could not open "/root/.zsh_history": No such file or directory
```
- it allows to trigger code paths in the kernel that are normally not
accessible to the caller. This can happen when opening special files
like character and block devices or files in /proc or /sys. Opening
some of these files can cause lock or alloc operations or even more
complex things to happen like when opening /dev/ptmx, which causes the
allocation of a new master/slave pseudo terminal. Therefore this can
lead to DoS like situations or have further unspecified impact.
For fixing this I suggest opening the file supplied in `args.pid` only
with the permissions of the real user, since this is already done in
`is_privileged_over_netns()` anyway. Another approach would be the
normalization of the input path and then only allowing a path of the
pattern /proc/<pid>/ns/net.
[1] https://github.com/lxc/lxc/blob/master/README.md#reporting-security-issues
[2] https://bugzilla.suse.com/show_bug.cgi?id=988348
Best regards
Matthias
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1783591/+subscriptions