chmod race in doUidshiftIntoContainer()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
doUidshiftIntoC
the stat in the Filepath.Walk() function. A symbolic link created in
that window could cause any file on the system to have any mode of the
attacker's choice.
func (set *IdmapSet) doUidshiftIntoC
convert := func(path string, fi os.FileInfo, err error) (e error) {
if err != nil {
}
var newuid, newgid int
}
if testmode {
} else {
}
}
if !PathExists(dir) {
}
return filepath.Walk(dir, convert)
}
This function cannot be used if any processes from the uid ranges in
question could be executing on the system, or on any systems that may mount
the target filesystem via nfs, p9fs, or other networked filesystems.
The mode change needs to be done after dropping privileges to the target
user and group so that the chmod can only affect files owned by the uid
in question.
Thanks
Related branches
CVE References
information type: | Private Security → Public Security |
Changed in lxd (Ubuntu): | |
status: | New → In Progress |
This is CVE-2015-1340