Remove UID/GID hack script #93
Conversation
zachmullen
force-pushed
the
remove-docker-uid-hack
branch
from
90b21b4
to
58b6129
Compare
| tmpdir = e.info['kwargs']['_tempdir'] | ||
| cmd = [ | ||
| 'docker', 'run', '--rm', '-v', '%s:%s' % (tmpdir, DATA_VOLUME), | ||
| 'busybox', 'rm', '-rf', DATA_VOLUME |
There was a problem hiding this comment.
I know generally we want to avoid replicating information, but it seems like hard coding '/mnt/girder_worker/data' would avoid potential attack vectors here
There was a problem hiding this comment.
What sort of attack? So long as DATA_VOLUME is only ever a string constant, wouldn't this be fine?
There was a problem hiding this comment.
maybe i'm not reading the right, but if I can modify _tempdir so it is equal to '/' and DATA_VOLUME so it is equal to "/" won't I blow away your whole OS?
There was a problem hiding this comment.
I think if anyone managed to change the value of these variables, we have already been compromised to the point that an attacker could likely do whatever they want on the filesystem within the constraints of the worker user.
There was a problem hiding this comment.
I would say the problem is less about an attacker changing it than a user or developer accidentally doing something wrong.
There was a problem hiding this comment.
Either way, the tmpdir variable is the one that presents the danger more than the DATA_VOLUME since that's the one referring to the host filesystem.
There was a problem hiding this comment.
Instead of rm -rf DATA_VOLUME, we could chmod -R a+x DATA_VOLUME, and then let the temp directory get cleaned up via the normal job cleanup. This has the virtue that the cleanup flag would be honored.
There was a problem hiding this comment.
Well, if that got compromised in the same way, then instead of deleting our root filesystem, we've just given write permission to every user on every file... I'd rather just have them delete the files since it's an ephemeral processing node.
There was a problem hiding this comment.
I was suggesting it to preserve the cleanup flag behavior, rather than as a security measure.
There was a problem hiding this comment.
Oh, right, that makes sense. I'll change to set o+w.
This is a better cleanup solution; we run a very small container to clean up the temp directory for us as root.
zachmullen
force-pushed
the
remove-docker-uid-hack
branch
from
58b6129
to
6165338
Compare
Otherwise it ignores the "cleanup" argument to run().
| tmpdir = e.info['kwargs']['_tempdir'] | ||
| cmd = [ | ||
| 'docker', 'run', '--rm', '-v', '%s:%s' % (tmpdir, DATA_VOLUME), | ||
| 'busybox', 'chmod', '-R', 'o+rw', DATA_VOLUME |
There was a problem hiding this comment.
Should this be a+rw rather than o+rw? If the docker container happens to be the same UID or GID as girder_worker and leaves the files unwritable or unreadable, then wouldn't we fail to remove them otherwise?
There was a problem hiding this comment.
Is that true? I assumed o meant any user, regardless of whether they are the owner or in the owning group
There was a problem hiding this comment.
(Just tested, turns out you are right! I learned something new today)
There was a problem hiding this comment.
I thought so (but I was testing it myself to make sure).
zachmullen
force-pushed
the
remove-docker-uid-hack
branch
from
8ce34bc
to
4dbabaa
Compare
|
@cjh1 this is the branch I mentioned earlier that will conflict with the docker-py transition. Once you create the integration testing for docker mode, a lot of this testing mock stuff should go away since it's mostly testing mocked internal details and is a pain to maintain. |
|
@zachmullen Working on that at the moment, for now I am adding an additional test, rather the converting over the mocked version. |
zachmullen
force-pushed
the
remove-docker-uid-hack
branch
from
4dbabaa
to
f10fe8e
Compare
|
Thanks @manthey |
This is a better cleanup solution; we run a very small container
to clean up the temp directory for us as root.