
CVE-2015-1328: incorrect permission checks in overlayfs, Ubuntu local root - QUFB
http://seclists.org/oss-sec/2015/q2/717
======
akanet
This definitely concerns me as someone who uses Docker + Overlay for
sandboxing. Anyone know which webpage to refresh regularly to check for a fix?
My guess is
[https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1465400](https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1465400),
but I'm not too sure.

~~~
justincormack
You can compile a new kernel with user namespaces disabled for now. Docker
does not require them. Obviously do not run containers as root, or that is
just as bad.

------
jMyles
So, it looks like a (non-root) user with write access to any directory can
gain root?

Well, shit.

------
blorgle
The CVE states:

"Hello, this is CVE-2015-1328 which allows a local root privilege escalation
in the default configuration on all currently supported versions of Ubuntu."

But when I look in the /boot of a randomly picked Ubuntu 12.04 server, which
has 3.2, 3.8 and 3.11 installed, only the corresponding config file for 3.2
has CONFIG_USER_NS.

What happened to CONFIG_USER_NS in later kernel versions?

~~~
regecks
Its enabled for me in 3.13 in 14.04.

------
userbinator
Is Ubuntu the only distro which is affected, or are there others? Presumably
any which have overlayfs enabled will be.

 _It is also possible to list directory contents for any directory on the
system regardless of permissions_

That's basically a "duh" once you get root...

~~~
jsprogrammer
>That's basically a "duh" once you get root...

The bug/exploit is that you can do it without getting root.

~~~
userbinator
Before that sentence it says "The attached exploit gives a root shell", so I
felt it was rather redundant to then say that all the directories on the
system can be read.

~~~
jsprogrammer
Getting root shell requires additional steps. It looks like you can read any
directory simply by mounting it as an overlay.

------
AaronFriel
Does this effect the "overlay" filesystem, which I've read has been renamed
from "overlayfs" to avoid ambiguity?

------
blfr
Aren't privilege escalation attacks pretty common? Is this one particularly
bad?

------
giis
Does this affect lxc like docker/openvz?

