symlinks not checked during alloc migration #19887
Comments
tgross
added a commit
that referenced
this issue
Feb 8, 2024
During allocation directory migration, the client was not checking that any symlinks in the archive aren't pointing to somewhere outside the allocation directory. While task driver sandboxing will protect against processes inside the task from reading/writing thru the symlink, this doesn't protect against the client itself from performing unintended operations outside the sandbox. This changeset includes two changes: * Update the archive unpacking to check the source of symlinks and require that they fall within the sandbox. * Fix a bug in the symlink check where it was using `filepath.Rel` which doesn't work for paths in the sibling directories of the sandbox directory. This bug doesn't appear to be exploitable but caused errors in testing. Fixes: #19887
nvanthao
pushed a commit
to nvanthao/nomad
that referenced
this issue
Mar 1, 2024
During allocation directory migration, the client was not checking that any symlinks in the archive aren't pointing to somewhere outside the allocation directory. While task driver sandboxing will protect against processes inside the task from reading/writing thru the symlink, this doesn't protect against the client itself from performing unintended operations outside the sandbox. This changeset includes two changes: * Update the archive unpacking to check the source of symlinks and require that they fall within the sandbox. * Fix a bug in the symlink check where it was using `filepath.Rel` which doesn't work for paths in the sibling directories of the sandbox directory. This bug doesn't appear to be exploitable but caused errors in testing. Fixes: hashicorp#19887
nvanthao
pushed a commit
to nvanthao/nomad
that referenced
this issue
Mar 1, 2024
During allocation directory migration, the client was not checking that any symlinks in the archive aren't pointing to somewhere outside the allocation directory. While task driver sandboxing will protect against processes inside the task from reading/writing thru the symlink, this doesn't protect against the client itself from performing unintended operations outside the sandbox. This changeset includes two changes: * Update the archive unpacking to check the source of symlinks and require that they fall within the sandbox. * Fix a bug in the symlink check where it was using `filepath.Rel` which doesn't work for paths in the sibling directories of the sandbox directory. This bug doesn't appear to be exploitable but caused errors in testing. Fixes: hashicorp#19887
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A bug was fixed in allocation directory migration. The Nomad client did not check that any symlinks in the archive pointed outside the allocation directory. While task driver sandboxing will protect against processes inside the task from reading/writing through the symlink, this doesn't protect against the client itself from performing unintended operations outside the sandbox, such as the template-based attack described in #19888
The text was updated successfully, but these errors were encountered: