Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
User can use lxc hooks for privilege escalation on lxd host #2003
LXD does not filter out or deny user to set lxc pre-start hook in user containers, which could be used to execute code as root on the host, outside the containers. Other hooks either run as subuid or in the contained environment so I see no direct issue with them, but pre-start run as a privileged user and could be used for privilege escalation.
I thought we had it blocked but apparently had to unblock it for some reason (nova-lxd maybe) and even have a test to make sure it does run...
We may end up blocking it again at some point down the line as we generally don't guarantee anything about raw.lxc.
That being said, I don't think it's a security issue as we consider anyone having access to the LXD API to have full root access anyway.
Basically the following is always possible and will give you similar access:
At which point you have the whole host mounted in /mnt/root and you have root access against all of it.