Security #78
HyperVM (all versions) - get_vm_name() remote privilege escalation
| Status: | New | Start date: | 04/20/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | - | Spent time: | - | |
| Target version: | 2.1.1 | |||
| Affected version : | Resolution: |
Description
Hello,
The HyperVM xen and openvz SSH access escalates privilege to root unnecessarily opening the system to a potential security risk.
This is caused by the following code in sbin/lxlogin.c:
setuid(0);
seteuid(0);
setgid(0);
setegid(0);xm and vzctl do not require the calling parent process to have root privilege, what you should do is fork to a child process and then execve() with privileges escalated as appropriate. xm does not require privilege escalation at all to gain console access when appropriate filesystem permissions are used.
History
Updated by Danny Terweij almost 2 years ago
So it is possible to add just a user to the system, and it can do vzctrl enter vpsid ?
Is vzctl itself then not a security issue?
Updated by Danny Terweij almost 2 years ago
[root@themis ~]# adduser dannytest -m -s /bin/bash -d /home/dannytest [root@themis ~]# su dannytest [dannytest@themis root]$ cd ~ [dannytest@themis ~]$ vzlist This program can only be run under root. [dannytest@themis ~]$ vzctl enter 110 Unable to open /dev/vzctl: Permission denied Please check that vzdev kernel module is loaded and you have sufficient permissions to access the file.
Looks like it needs root.
Updated by William Pitcock almost 2 years ago
Hi Danny,
You should be able to add group write/exec permission to /dev/vzctl, and escalate process capabilities as necessary. It is safer to escalate select capabilities rather then all of the capabilities by going setuid 0.
Updated by Danny Terweij almost 2 years ago
What you think is wise, set /dev/vzctl and add lxlabs as group and the suggested method in the c file?
And do you have a code suggestion? I am not a c programmer.
Updated by William Pitcock almost 2 years ago
I think you should setcap() as appropriate and chmod g+ws /dev/vzctl after placing it in the lxlabs group. I am not familiar with what capabilities are needed to use vzctl though, but will investigate this evening.
Updated by Danny Terweij almost 2 years ago
- Priority changed from Immediate to Normal
I hope you dont forgot it William.
Updated by Danny Terweij over 1 year ago
- Target version set to 2.1.0
Updated by Danny Terweij over 1 year ago
- Target version changed from 2.1.0 to 2.1.1
Moved to next version.