default install of focal allows privilege escalation via lxd group

Bug #1949115 reported by Ian Johnson
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
user-setup (Ubuntu)
Fix Released
High
Sebastien Bacher

Bug Description

By default, a new installation of Ubuntu (at least I tried 20.04 Desktop, but I assume this applies to other variants/versions as well) create a user which is in the lxd group. When the lxd snap is also installed, this user can now create privileged containers which essentially allow trivial privilege elevation to root.

This might be a bug in lxd with privileged container creation requiring full root, or it might be the case that the default user should not be put into the lxd group out of the box, so I'm not sure what's the best package to file this one against.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
affects: ubuntu → user-setup (Ubuntu)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Can I make this bug public? This is a well-known issue.

Revision history for this message
Ian Johnson (anonymouse67) wrote :

I filed it as a private bug because I wasn't sure how widely known it was that this was exploitable, but sure if the security team thinks this is a well-known issue that is good enough for me

information type: Private Security → Public Security
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Yeah; I thought we had a list of 'root-equivalent groups' around here somewhere, but last time I went looking for that list, I couldn't find it. Does it already exist? If not, we should probably write one.

Thanks

Revision history for this message
Sebastien Bacher (seb128) wrote :

I've uploaded an user-setup change now to replace lxd by users which will make use default to unprivledged containers as explained on https://discourse.ubuntu.com/t/easy-multi-user-lxd-setup

Changed in user-setup (Ubuntu):
importance: Undecided → High
status: New → Fix Committed
assignee: nobody → Sebastien Bacher (seb128)
Revision history for this message
Alex Murray (alexmurray) wrote :

That sounds like a great solution - but I wonder that it will now break things like snapcraft from working OOTB (from the last time I tested this ~6 months ago) failed when using the unprivileged LXD setup (I assume this is due to the way it passes the project contents through to the container but surely this could be changed to just use lxc file push/pull etc rather than mounting the CWD into the container)

Revision history for this message
Sebastien Bacher (seb128) wrote :

Thanks for the feedback Alex, I will make sure we check early what's the impact on snapcraft

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package user-setup - 1.90ubuntu3

---------------
user-setup (1.90ubuntu3) lunar; urgency=medium

  * debian/user-setup.templates:
    - remove 'lxd' from user-default-groups and add 'users' instead,
      it will let lxd default to unprivileged containers which is better
      see https://discourse.ubuntu.com/t/easy-multi-user-lxd-setup for details
      (lp: #1949115)

 -- Sebastien Bacher <email address hidden> Thu, 24 Nov 2022 10:51:38 +0100

Changed in user-setup (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.