Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14OXFxLTIzNmotZ2o5N84AA3lE
Canonical LXD documentation improvement to make clear restricted.devices.disk=allow without restricted.devices.disk.paths also allows shift=true
Summary
If a user has restricted access to a project that is configured with restricted=true, they can gain root access on the system by creating a disk device with shift=true and creating a setuid root executable. This is possible because the shift property is not restricted unless restricted.devices.disk.paths is set.
Details
The following patch shows the offending code with a possible fix:
--- a/lxd/device/disk.go
+++ b/lxd/device/disk.go
@@ -429,17 +429,19 @@ func (d *disk) validateEnvironmentSourcePath() error {
if instProject.Name != api.ProjectDefaultName {
// If restricted disk paths are in force, then check the disk's source is allowed, and record the
// allowed parent path for later user during device start up sequence.
- if shared.IsTrue(instProject.Config["restricted"]) && instProject.Config["restricted.devices.disk.paths"] != "" {
- allowed, restrictedParentSourcePath := project.CheckRestrictedDevicesDiskPaths(instProject.Config, d.config["source"])
- if !allowed {
- return fmt.Errorf("Disk source path %q not allowed by project for disk %q", d.config["source"], d.name)
+ if shared.IsTrue(instProject.Config["restricted"]) {
+ if instProject.Config["restricted.devices.disk.paths"] != "" {
+ allowed, restrictedParentSourcePath := project.CheckRestrictedDevicesDiskPaths(instProject.Config, d.config["source"])
+ if !allowed {
+ return fmt.Errorf("Disk source path %q not allowed by project for disk %q", d.config["source"], d.name)
+ }
+
+ d.restrictedParentSourcePath = shared.HostPath(restrictedParentSourcePath)
}
if shared.IsTrue(d.config["shift"]) {
return fmt.Errorf(`The "shift" property cannot be used with a restricted source path`)
}
-
- d.restrictedParentSourcePath = shared.HostPath(restrictedParentSourcePath)
}
}
PoC
$ lxc project create restricted -c restricted=true -c restricted.devices.disk=allow
$ lxc project switch restricted
$ lxc profile device add default root disk path=/ pool=default
$ lxc init ubuntu:22.04 c1
$ lxc config device add c1 d1 disk source=/ path=/mnt shift=true
$ lxc start c1 # no error
$ lxc project set restricted restricted.devices.disk.paths=/ # explicitly allow mounting /
$ lxc restart c1
Error: Failed to start device "d1": The "shift" property cannot be used with a restricted source path
Created https://github.com/canonical/lxd/issues/12606 to improve the documentation as per https://github.com/canonical/lxd/security/advisories/GHSA-x9qq-236j-gj97#advisory-comment-91918
Permalink: https://github.com/advisories/GHSA-x9qq-236j-gj97JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14OXFxLTIzNmotZ2o5N84AA3lE
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 5 months ago
Updated: about 2 months ago
Identifiers: GHSA-x9qq-236j-gj97
References:
- https://github.com/canonical/lxd/security/advisories/GHSA-x9qq-236j-gj97
- https://github.com/canonical/lxd/issues/12606
- https://github.com/canonical/lxd/commit/ce1bd0dd37bb3810fe6f16c237a4b65257f231f1
- https://github.com/advisories/GHSA-x9qq-236j-gj97
Blast Radius: 0.0
Affected Packages
go:github.com/canonical/lxd
Dependent packages: 14Dependent repositories: 1
Downloads:
Affected Version Ranges: = 5.19
Fixed in: 5.20
All affected versions:
All unaffected versions: