New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security issue in multi-user environment #147

Closed
tesujimath opened this Issue Apr 5, 2017 · 4 comments

Comments

Projects
None yet
3 participants
@tesujimath
Copy link

tesujimath commented Apr 5, 2017

Firstly, I'm not quite sure if this is the right place to discuss this issue, which is a general problem about the risk of allowing unprivileged users to run BioContainers on a multi-user system. I'll assume for now it's OK to discuss it here. :-)

We are investigating providing bioinformatics applications to our scientists by letting them use docker to run BioContainers, so all these users needing to run these containers will be in the docker group. These users are scientists, not IT staff, so they are definitely not to be trusted with being root on the servers. Unfortunately, running a BioContainer (or a docker container in general) gives all these users the ability to write files all over the host filesystem, as root, by running a container as root and mounting the host filesystem like this (I'm using the qiime biocontainer just as an example)

host$ docker run -it -u 0 -v /:/host quay.io/biocontainers/qiime:1.9.1--py27_0 bash

bash-4.2# cd /host
bash-4.2# echo I trashed your system, muhaha > evil-user-was-here
bash-4.2# exit

host$ ls -l /
total 44
lrwxrwxrwx.   1 root     root     7 Apr  4 15:56 bin -> usr/bin
dr-xr-xr-x.   4 root     root  4096 Apr  4 16:34 boot
drwxr-xr-x   21 root     root  3360 Apr  5 09:11 dev
drwxr-xr-x. 107 root     root  8192 Apr  5 09:10 etc
-rw-r--r--    1 root     root    30 Apr  5 14:18 evil-user-was-here
drwxr-xr-x    3 root     root     0 Apr  5 09:15 home
lrwxrwxrwx.   1 root     root     7 Apr  4 15:56 lib -> usr/lib
lrwxrwxrwx.   1 root     root     9 Apr  4 15:56 lib64 -> usr/lib64
...

host$ cat /evil-user-was-here 
I trashed your system, muhaha

So I can't afford to put these users in the docker group. It would seem I have to write a setgid C program to control access to the docker command, which will do the non-privileged user mapping and mounting of data directories from the host into the container.

It may be that using rkt instead of docker will simplify the whole approach. But I don't think rkt is quite there with regard to running as unprivileged.

I can't be the only one to hit this issue on a multi-user system. What are other people doing?

@osallou

This comment has been minimized.

Copy link
Contributor

osallou commented Apr 5, 2017

@tesujimath

This comment has been minimized.

Copy link
Author

tesujimath commented Apr 5, 2017

Hi Oliviet,

Thanks for the info. I am also looking at rkt. I think what I need is much simpler than your godocker program. I am thinking simply of a setuid wrapper which just invokes the underlying command with carefully managed user mapping and volume mounting.

cheers,
Simon

@osallou

This comment has been minimized.

Copy link
Contributor

osallou commented Apr 6, 2017

@tesujimath

This comment has been minimized.

Copy link
Author

tesujimath commented Apr 10, 2017

I decided to write a wrapper for rkt, to enable use by unprivileged users. Rkt seemed to be a better fit than docker for our use. There's a first version available now. Expect further refinements to come. Here: rktrunner

@ypriverol ypriverol closed this Mar 29, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment