Store VE layout in VE config during create and convert
VE layout (ploop or simfs) is automatically detected based on presence
of "root.hdd/DiskDescriptor.xml" file inside the VE private directory.
Imagine that inside a simfs CT this file is created by some malicious
user, which has root privileges there. When vzctl starts a CT, it would
mistakenly autodetect the CT as being the ploop one!
This design flaw leads to a certain kind of attack vectors, e.g.:
CT 101 (simfs) = Attacker
CT 102 (ploop) = Victim
[root@node ~]# vzctl start 101
[root@node ~]# vzctl exec 101 ln -s ../../../../../../vz/private/102/root.hdd /root.hdd
[root@node ~]# vzctl stop 101
[root@node ~]# vzctl status 101
CTID 101 exist mounted down
[root@node ~]# vzctl status 102
CTID 102 exist mounted down
[root@node ~]# vzctl start 101
Starting container...
Opening delta /vz/private/102/root.hdd/root.hdd
Adding delta dev=/dev/ploop25933 img=/vz/private/102/root.hdd/root.hdd (rw)
Mounting /dev/ploop25933p1 at /vz/root/101 fstype=ext4 data='balloon_ino=12,
usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0,'
Container is mounted
Container start in progress...
The Attacker CT is now being started as a ploop CT using Victim
ploop image. The Attacker now can change the root password belonging to
Victim's CT using one of the various control panels and log in.
For the attack to succeed the following prerequisities must be met:
1. Attacker must have control over a simfs CT, while Victim CT must be
ploop-based;
2. Attacker must know the CT ID of Victim CT;
3. Attacker CT must be started while Victim CT is in stopped state;
4. There must be a control panel, which would be used to reset a
password and log in into Victim CT.
The fix is simple: newly created CT must store the VE layout inside
its VE config. Existing CTs should be fixed manually by appending
"VE_LAYOUT=ploop|simfs" parameter to their CT configs.
Thanks to RACK911LABS.COM for discovering this bug and providing the
attack scenario described above.
Signed-off-by: Igor Bazhitov <ibazhitov@virtuozzo.com>
17 files changed