[Bug 1949115] Re: default install of focal allows privilege escalation via lxd group
Launchpad Bug Tracker
1949115 at bugs.launchpad.net
Mon Nov 28 19:48:50 UTC 2022
This bug was fixed in the package user-setup - 1.90ubuntu3
---------------
user-setup (1.90ubuntu3) lunar; urgency=medium
* debian/user-setup.templates:
- remove 'lxd' from user-default-groups and add 'users' instead,
it will let lxd default to unprivileged containers which is better
see https://discourse.ubuntu.com/t/easy-multi-user-lxd-setup for details
(lp: #1949115)
-- Sebastien Bacher <seb128 at ubuntu.com> Thu, 24 Nov 2022 10:51:38
+0100
** Changed in: user-setup (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to user-setup in Ubuntu.
https://bugs.launchpad.net/bugs/1949115
Title:
default install of focal allows privilege escalation via lxd group
Status in user-setup package in Ubuntu:
Fix Released
Bug description:
By default, a new installation of Ubuntu (at least I tried 20.04
Desktop, but I assume this applies to other variants/versions as well)
create a user which is in the lxd group. When the lxd snap is also
installed, this user can now create privileged containers which
essentially allow trivial privilege elevation to root.
This might be a bug in lxd with privileged container creation
requiring full root, or it might be the case that the default user
should not be put into the lxd group out of the box, so I'm not sure
what's the best package to file this one against.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/user-setup/+bug/1949115/+subscriptions
More information about the foundations-bugs
mailing list