Ownership bug in ubuntu-image

Hello everyone,

We had a bug in ubuntu-image that affected some of the ubuntu-core published images, and might affect one of your images as well depending on how you used the tool.

ubuntu-image when run as non-root on systems with e2fsprogs >= 1.43 would create images with certain files and directories with the UID of the invoking user (CVE-2017-10600). When booting into an affected Ubuntu Core image, a local user with the same UID/GID of the image’s creator had privileged access to cloud-init and snapd directories (and some files within them):

  • /etc/cloud
  • /var/lib/cloud
  • /var/lib/snapd
  • /writable/system-data
  • /writable/system-data/var
  • /writable/system-data/var/lib
  • /writable/system-data/boot
  • /writable/system-data/etc

Official Ubuntu Core images downloaded from the following URLs between 2017-01-26 and 2017-07-05 are affected by this issue:

When booting into an affected official image, these files and directories are incorrectly owned by UID/GID 1000. Because the default user in the image is UID/GID 1000, the default user has access to these files and directories (note that in the default configuration these files are already accessible via sudo). The default configuration of Ubuntu Core protects the default user by disabling console logins and only allowing remote access via ssh key.

Third-party images created with ubuntu-image may have the same issue if the system the image was created on had e2fsprogs 1.43 or higher. For example, Ubuntu 16.04 LTS has e2fsprogs 1.42.13 so images created there are not affected, but Ubuntu 16.10 has 1.43.3 so images are affected when ubuntu-image is invoked as non-root. Furthermore, depending on the invoking user of ubuntu-image, the ownership on affected 3rd-party images might be for a different UID/GID, in which case only a matching non-default user would have improper access to these files and directories.

On 2017-07-03, the core snap in the stable channel was updated to correct the improper ownership of the affected files and directories and by today, devices should have automatically refreshed. You can see the changes made by comparing /var/lib/snapd/device/ownership-change.before and /var/lib/snapd/device/ownership-change.after. The cleanup operation intentionally does not include removing data from the system, so owners and administrators of affected devices may want to verify the contents of the affected directories.

On 2017-07-05, the ubuntu-core images for stable and edge were updated with corrected permissions. The candidate channel’s fix is currently pending. The images in the old http://cdimage.ubuntu.com/ubuntu-snappy/16.04/current location won’t be updated and users should use the ubuntu-core stable image location instead.

On 2017-07-07, the fix for ubuntu-image tool was committed to upstream sources with corresponding updates for the snap in the the snap store and debs in the Ubuntu archive.

Because this is a bug in the image creation tool and not snapd or the core snap, this issue only affects certain all-snaps Ubuntu Core devices. Classic distributions using snappy are not affected by this issue.