Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gitea Actions is HIGHLY insecure due to binding of docker.sock into all containers (= root on host) #24438

Closed
vitalif opened this issue Apr 30, 2023 · 2 comments
Closed

Gitea Actions is HIGHLY insecure due to binding of docker.sock into all containers (= root on host) #24438

vitalif opened this issue Apr 30, 2023 · 2 comments
Labels
topic/gitea-actions related to the actions of Gitea type/bug

Comments

@vitalif
Copy link
Contributor

vitalif commented Apr 30, 2023

Description

Hi.

I already submitted it as https://gitea.com/gitea/act_runner/issues/167
But I want to duplicate it here because I think it's VERY important. The problem is:

Gitea act_runner is TERRIBLY INSECURE, it allows all job containers to:

  1. access the docker daemon on host via the socket.
  2. bind host directories into the container.

This allows any job to escape from the container and easily get root privileges on the runner host. Jobs are basically untrusted code so they have to be isolated correctly.

Some ways of how you can escape the container using docker.sock include:

  • starting a privileged container
  • using host namespaces
  • using a bind mount to host directory to overwrite system files

It may be rather OK for act itself because it's only a local testing tool, but for act_runner it's a real blocker.

You should forbid bind mounts in job descriptions (named volumes are probably ok) and remove docker socket access. The latter will probably break docker-related steps, so for them you'll have to use DinD or newer tools like Kaniko or Buildah/Podman.

I like Gitea and I use it for a long time so probably I'll try to patch and test it on my server and submit a PR, but anyway, in the current state Gitea Actions SHOULD NOT be used in production.

Gitea Version

1.19.1

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Official linux amd64 binary in systemd.
Testing act_runner in a separate VM.

Database

MySQL
@wolfogre
Copy link
Member

Related:

@wolfogre wolfogre added the topic/gitea-actions related to the actions of Gitea label Apr 30, 2023
@wolfogre
Copy link
Member

wolfogre commented Jun 21, 2023
edited

Since act runner supports dind now: gitea/act_runner:nightly-dind-rootless or gitea/act_runner:latest-dind-rootless, see https://hub.docker.com/r/gitea/act_runner/tags

I think it's time to close this issue.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
topic/gitea-actions related to the actions of Gitea type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vitalif @wolfogre