Canonical LXD documentation improvement to make clear restricted.devices.disk=allow without restricted.devices.disk.paths also allows shift=true

Summary

If a user has restricted access to a project that is configured with restricted=true, they can gain root access on the system by creating a disk device with shift=true and creating a setuid root executable. This is possible because the shift property is not restricted unless restricted.devices.disk.paths is set.

Details

The following patch shows the offending code with a possible fix:

--- a/lxd/device/disk.go
+++ b/lxd/device/disk.go
@@ -429,17 +429,19 @@ func (d *disk) validateEnvironmentSourcePath() error {
        if instProject.Name != api.ProjectDefaultName {
                // If restricted disk paths are in force, then check the disk&#039;s source is allowed, and record the
                // allowed parent path for later user during device start up sequence.
-               if shared.IsTrue(instProject.Config[&quot;restricted&quot;]) &amp;&amp; instProject.Config[&quot;restricted.devices.disk.paths&quot;] != &quot;&quot; {
-                       allowed, restrictedParentSourcePath := project.CheckRestrictedDevicesDiskPaths(instProject.Config, d.config[&quot;source&quot;])
-                       if !allowed {
-                               return fmt.Errorf(&quot;Disk source path %q not allowed by project for disk %q&quot;, d.config[&quot;source&quot;], d.name)
+               if shared.IsTrue(instProject.Config[&quot;restricted&quot;]) {
+                       if instProject.Config[&quot;restricted.devices.disk.paths&quot;] != &quot;&quot; {
+                               allowed, restrictedParentSourcePath := project.CheckRestrictedDevicesDiskPaths(instProject.Config, d.config[&quot;source&quot;])
+                               if !allowed {
+                                       return fmt.Errorf(&quot;Disk source path %q not allowed by project for disk %q&quot;, d.config[&quot;source&quot;], d.name)
+                               }
+
+                               d.restrictedParentSourcePath = shared.HostPath(restrictedParentSourcePath)
                        }

                        if shared.IsTrue(d.config[&quot;shift&quot;]) {
                                return fmt.Errorf(`The &quot;shift&quot; property cannot be used with a restricted source path`)
                        }
-
-                       d.restrictedParentSourcePath = shared.HostPath(restrictedParentSourcePath)
                }
        }

PoC

$ lxc project create restricted -c restricted=true -c restricted.devices.disk=allow
$ lxc project switch restricted
$ lxc profile device add default root disk path=/ pool=default
$ lxc init ubuntu:22.04 c1
$ lxc config device add c1 d1 disk source=/ path=/mnt shift=true
$ lxc start c1  # no error

$ lxc project set restricted restricted.devices.disk.paths=/  # explicitly allow mounting /
$ lxc restart c1
Error: Failed to start device &quot;d1&quot;: The &quot;shift&quot; property cannot be used with a restricted source path

Created https://github.com/canonical/lxd/issues/12606 to improve the documentation as per https://github.com/canonical/lxd/security/advisories/GHSA-x9qq-236j-gj97#advisory-comment-91918

Published: Dec 5, 2023
Updated: Dec 6, 2023
GHSA: GHSA-x9qq-236j-gj97
Severity: Low
Exploit:

No technical information available.

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
github.com/canonical/lxd	5.19	5.19.x

Vulnerability Database

Canonical LXD documentation improvement to make clear restricted.devices.disk=allow without restricted.devices.disk.paths also allows shift=true

Summary

Details

PoC

Deep Security Visibility Without the Complexity