GHSA-x9qq-236j-gj97: Canonical LXD documentation improvement to make clear restricted.devices.disk=allow without restricted.devices.disk.paths also allows shift=true

December 5, 2023 (updated January 30, 2025)

If a user has restricted access to a project that is configured with restricted=true, they can gain root access on the system by creating a disk device with shift=true and creating a setuid root executable. This is possible because the shift property is not restricted unless restricted.devices.disk.paths is set.

References

github.com/advisories/GHSA-x9qq-236j-gj97
github.com/canonical/lxd
github.com/canonical/lxd/commit/ce1bd0dd37bb3810fe6f16c237a4b65257f231f1
github.com/canonical/lxd/issues/12606
github.com/canonical/lxd/security/advisories/GHSA-x9qq-236j-gj97

Detect and mitigate GHSA-x9qq-236j-gj97 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →