Salvatore Bonaccorso of the Debian Project reports: Florian Sagar discovered and reported an error in the sshd template of lxc allowing privilege escalation on the host. The error can be found on https://github.com/lxc/lxc/blob/master/templates/lxc-sshd.in#L131 where the mount is not done read-only. There is already a public pull/commit for this issue so might not anymore be embargoed (but asking first here). https://github.com/dotcloud/lxc/pull/1 https://github.com/usrflo/lxc/commit/fc09866c98468f3d832289d6608ee611a2c3c387
Acknowledgment: Red Hat would like to thank the Debian Project for reporting this issue. The Debian Project acknowledges Florian Sagar as the original reporter.
Statement: This issue did not affect the versions of libvirt (which includes lxc) as shipped with Red Hat Enterprise Linux 6 as they do not include the template file lxc-sshd.in.
Hi Kurt As per feedback from upstream this CVE assigned is disputed. The change to make the mount entry bind,ro was done as good safety net to have. But having root access to a container allows to get root to the host (see e.g http://blog.bofh.it/debian/id_413), if not using unprivileged containers or selinux/apparmor to restrict the containers.
To followup, a further patch was posted: https://github.com/lxc/lxc/commit/f4d5cc8e1f39d132b61e110674528cac727ae0e2 which is a similar hardening feature (or safety net). As upstream indicated, it's a known and acknowledged limitation of LXC (when not used with userns or apparmor/selinux) that root in a container is the effective equivalent of root on the host (so an individual with root in an LXC container can can change the host's lxc-sshd regardless of this issue).