-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove UID/GID hack script #93
Conversation
90b21b4
to
58b6129
Compare
tmpdir = e.info['kwargs']['_tempdir'] | ||
cmd = [ | ||
'docker', 'run', '--rm', '-v', '%s:%s' % (tmpdir, DATA_VOLUME), | ||
'busybox', 'rm', '-rf', DATA_VOLUME |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know generally we want to avoid replicating information, but it seems like hard coding '/mnt/girder_worker/data' would avoid potential attack vectors here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What sort of attack? So long as DATA_VOLUME
is only ever a string constant, wouldn't this be fine?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe i'm not reading the right, but if I can modify _tempdir so it is equal to '/' and DATA_VOLUME so it is equal to "/" won't I blow away your whole OS?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think if anyone managed to change the value of these variables, we have already been compromised to the point that an attacker could likely do whatever they want on the filesystem within the constraints of the worker user.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would say the problem is less about an attacker changing it than a user or developer accidentally doing something wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Either way, the tmpdir
variable is the one that presents the danger more than the DATA_VOLUME
since that's the one referring to the host filesystem.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of rm -rf DATA_VOLUME
, we could chmod -R a+x DATA_VOLUME
, and then let the temp directory get cleaned up via the normal job cleanup. This has the virtue that the cleanup flag would be honored.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, if that got compromised in the same way, then instead of deleting our root filesystem, we've just given write permission to every user on every file... I'd rather just have them delete the files since it's an ephemeral processing node.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was suggesting it to preserve the cleanup
flag behavior, rather than as a security measure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, right, that makes sense. I'll change to set o+w
.
This is a better cleanup solution; we run a very small container to clean up the temp directory for us as root.
58b6129
to
6165338
Compare
Otherwise it ignores the "cleanup" argument to run().
tmpdir = e.info['kwargs']['_tempdir'] | ||
cmd = [ | ||
'docker', 'run', '--rm', '-v', '%s:%s' % (tmpdir, DATA_VOLUME), | ||
'busybox', 'chmod', '-R', 'o+rw', DATA_VOLUME |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be a+rw
rather than o+rw
? If the docker container happens to be the same UID or GID as girder_worker and leaves the files unwritable or unreadable, then wouldn't we fail to remove them otherwise?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is that true? I assumed o
meant any user, regardless of whether they are the owner or in the owning group
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(Just tested, turns out you are right! I learned something new today)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought so (but I was testing it myself to make sure).
8ce34bc
to
4dbabaa
Compare
@cjh1 this is the branch I mentioned earlier that will conflict with the docker-py transition. Once you create the integration testing for docker mode, a lot of this testing mock stuff should go away since it's mostly testing mocked internal details and is a pain to maintain. |
@zachmullen Working on that at the moment, for now I am adding an additional test, rather the converting over the mocked version. |
4dbabaa
to
f10fe8e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This works nicely with my docker-in-docker case now.
Thanks @manthey |
This is a better cleanup solution; we run a very small container
to clean up the temp directory for us as root.