[lxc-users] LXC security issue - affects all supported releases

Stéphane Graber stgraber at ubuntu.com
Wed Sep 30 16:13:26 UTC 2015 

Hi,

We're aware of a regression in the patch that was uploaded to Ubuntu
14.04 LTS and then automatically backported to the lts PPAs.

This patch differed a bit from the one sent upstream as we had to
workaround a kernel bug in the Ubuntu 3.13 kernel.

Serge Hallyn is currently working on a fix for this issue. It does so
far appear to be caused by absolute paths containing "//" in them. The
planned fix is to normalize those paths to using a single "/".

We expect this regression to be fixed in Ubuntu 14.04 and the lts PPAs
in the very near future.

Until then, the best way around this issue is to either fix your
lxc.mount.entry or fstab entry by replacing all "//" by a single "/" or
as suggested on this list, make use of relative mounts.

Stéphane

On Wed, Sep 30, 2015 at 09:24:17AM +0200, Timotheus Pokorra wrote:
> Hello,
> 
> > During a recent security audit of LXC, Roman Fiedler identified a
> > security vulnerability in LXC.
> thanks for providing this fix!
> 
> I updated to the latest release on the stable/lts PPA
> (https://launchpad.net/~ubuntu-lxc/+archive/ubuntu/lts).
> package version: 1.0.7-0ubuntu0.5~ubuntu14.04.1~ppa1
> 
> >     1. do not allow mounts to paths containing symbolic links
> >     2. do not allow bind mounts from relative paths containing symbolic
> >     links.
> 
> Unfortunately, now I cannot start a container anymore, which does have a mount.
> It is not using symbolic links, as far as I can see.
> In the config file, I have this line:
> lxc.mount.entry =
> /var/lib/repocache/57/debian/jessie/amd64/var/cache/apt
> /var/lib/lxc/57-jessiestable.kolab.pokorra.de/rootfs/var/cache/apt
> none defaults,bind 0 0
> 
> But lxc-start -n shows me this error:
> 
> lxc-start: utils.c: ensure_not_symlink: 1384 Mount onto
> /usr/lib/x86_64-linux-gnu/lxc//var/cache/apt resulted in
> /usr/lib/x86_64-linux-gnu/lxc/var/cache/apt
> 
> lxc-start: utils.c: safe_mount: 1409 Mount of
> '/var/lib/repocache/57/debian/jessie/amd64/var/cache/apt' onto
> '/usr/lib/x86_64-linux-gnu/lxc//var/cache/apt' was onto a symlink!
> lxc-start: conf.c: mount_entry: 2051 No such file or directory -
> failed to mount
> '/var/lib/repocache/57/debian/jessie/amd64/var/cache/apt' on
> '/usr/lib/x86_64-linux-gnu/lxc//var/cache/apt'
> lxc-start: conf.c: lxc_setup: 4165 failed to setup the mount entries
> for '57-jessiestable.kolab.pokorra.de'
> 
> I wonder where does the path
> /usr/lib/x86_64-linux-gnu/lxc//var/cache/apt come from?
> Is there a bug in the security patch, or some problem in my system?
> It used to work fine before applying this latest release.
> 
> Thanks for any ideas,
>   Timotheus
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150930/1486e391/attachment.sig>

More information about the lxc-users mailing list