[lxc-users] LXC security issue - affects all supported releases

Stéphane Graber stgraber at ubuntu.com
Wed Sep 30 19:47:51 UTC 2015 

The fix for this regression has now been uploaded to Ubuntu 14.04.

On Wed, Sep 30, 2015 at 12:13:26PM -0400, Stéphane Graber wrote:
> Hi,
> 
> We're aware of a regression in the patch that was uploaded to Ubuntu
> 14.04 LTS and then automatically backported to the lts PPAs.
> 
> This patch differed a bit from the one sent upstream as we had to
> workaround a kernel bug in the Ubuntu 3.13 kernel.
> 
> Serge Hallyn is currently working on a fix for this issue. It does so
> far appear to be caused by absolute paths containing "//" in them. The
> planned fix is to normalize those paths to using a single "/".
> 
> We expect this regression to be fixed in Ubuntu 14.04 and the lts PPAs
> in the very near future.
> 
> Until then, the best way around this issue is to either fix your
> lxc.mount.entry or fstab entry by replacing all "//" by a single "/" or
> as suggested on this list, make use of relative mounts.
> 
> Stéphane
> 
> On Wed, Sep 30, 2015 at 09:24:17AM +0200, Timotheus Pokorra wrote:
> > Hello,
> > 
> > > During a recent security audit of LXC, Roman Fiedler identified a
> > > security vulnerability in LXC.
> > thanks for providing this fix!
> > 
> > I updated to the latest release on the stable/lts PPA
> > (https://launchpad.net/~ubuntu-lxc/+archive/ubuntu/lts).
> > package version: 1.0.7-0ubuntu0.5~ubuntu14.04.1~ppa1
> > 
> > >     1. do not allow mounts to paths containing symbolic links
> > >     2. do not allow bind mounts from relative paths containing symbolic
> > >     links.
> > 
> > Unfortunately, now I cannot start a container anymore, which does have a mount.
> > It is not using symbolic links, as far as I can see.
> > In the config file, I have this line:
> > lxc.mount.entry =
> > /var/lib/repocache/57/debian/jessie/amd64/var/cache/apt
> > /var/lib/lxc/57-jessiestable.kolab.pokorra.de/rootfs/var/cache/apt
> > none defaults,bind 0 0
> > 
> > But lxc-start -n shows me this error:
> > 
> > lxc-start: utils.c: ensure_not_symlink: 1384 Mount onto
> > /usr/lib/x86_64-linux-gnu/lxc//var/cache/apt resulted in
> > /usr/lib/x86_64-linux-gnu/lxc/var/cache/apt
> > 
> > lxc-start: utils.c: safe_mount: 1409 Mount of
> > '/var/lib/repocache/57/debian/jessie/amd64/var/cache/apt' onto
> > '/usr/lib/x86_64-linux-gnu/lxc//var/cache/apt' was onto a symlink!
> > lxc-start: conf.c: mount_entry: 2051 No such file or directory -
> > failed to mount
> > '/var/lib/repocache/57/debian/jessie/amd64/var/cache/apt' on
> > '/usr/lib/x86_64-linux-gnu/lxc//var/cache/apt'
> > lxc-start: conf.c: lxc_setup: 4165 failed to setup the mount entries
> > for '57-jessiestable.kolab.pokorra.de'
> > 
> > I wonder where does the path
> > /usr/lib/x86_64-linux-gnu/lxc//var/cache/apt come from?
> > Is there a bug in the security patch, or some problem in my system?
> > It used to work fine before applying this latest release.
> > 
> > Thanks for any ideas,
> >   Timotheus
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> 
> -- 
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com



> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150930/c1013bb7/attachment.sig>

More information about the lxc-users mailing list