[lxc-users] LXC security issue - affects all supported releases

Timotheus Pokorra timotheus at pokorra.de
Wed Sep 30 07:24:17 UTC 2015


Hello,

> During a recent security audit of LXC, Roman Fiedler identified a
> security vulnerability in LXC.
thanks for providing this fix!

I updated to the latest release on the stable/lts PPA
(https://launchpad.net/~ubuntu-lxc/+archive/ubuntu/lts).
package version: 1.0.7-0ubuntu0.5~ubuntu14.04.1~ppa1

>     1. do not allow mounts to paths containing symbolic links
>     2. do not allow bind mounts from relative paths containing symbolic
>     links.

Unfortunately, now I cannot start a container anymore, which does have a mount.
It is not using symbolic links, as far as I can see.
In the config file, I have this line:
lxc.mount.entry =
/var/lib/repocache/57/debian/jessie/amd64/var/cache/apt
/var/lib/lxc/57-jessiestable.kolab.pokorra.de/rootfs/var/cache/apt
none defaults,bind 0 0

But lxc-start -n shows me this error:

lxc-start: utils.c: ensure_not_symlink: 1384 Mount onto
/usr/lib/x86_64-linux-gnu/lxc//var/cache/apt resulted in
/usr/lib/x86_64-linux-gnu/lxc/var/cache/apt

lxc-start: utils.c: safe_mount: 1409 Mount of
'/var/lib/repocache/57/debian/jessie/amd64/var/cache/apt' onto
'/usr/lib/x86_64-linux-gnu/lxc//var/cache/apt' was onto a symlink!
lxc-start: conf.c: mount_entry: 2051 No such file or directory -
failed to mount
'/var/lib/repocache/57/debian/jessie/amd64/var/cache/apt' on
'/usr/lib/x86_64-linux-gnu/lxc//var/cache/apt'
lxc-start: conf.c: lxc_setup: 4165 failed to setup the mount entries
for '57-jessiestable.kolab.pokorra.de'

I wonder where does the path
/usr/lib/x86_64-linux-gnu/lxc//var/cache/apt come from?
Is there a bug in the security patch, or some problem in my system?
It used to work fine before applying this latest release.

Thanks for any ideas,
  Timotheus


More information about the lxc-users mailing list