Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NsenterWriter is an arbitrary shell-execution / path traversal attack waiting to happen #16971

Closed
smarterclayton opened this issue Nov 7, 2015 · 8 comments
Closed

NsenterWriter is an arbitrary shell-execution / path traversal attack waiting to happen #16971

smarterclayton opened this issue Nov 7, 2015 · 8 comments
Assignees
@tallclair
Labels
area/security lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/backlog Higher priority than priority/awaiting-more-evidence. sig/node Categorizes an issue or PR as relevant to SIG Node.

Comments

@smarterclayton
Copy link
Contributor

EDIT: This is not a vulnerability right now, but it is a potential one.

While fixing #16969 we noticed that NsenterWriter has the potential for arbitrary shell-execution if a caller doesn't validate their paths. We need to ensure that is impossible by invoking filepath.Clean on the passed input, and then using %q to verify that the shell we generate cannot be escaped. However, we may need to go even further (since bash + escaping == epic disaster).

Docker 1.10 should have a mount propagation setting which allows --shared mount, at which point this code should die and be totally removed. We should leave the containerized code in experimental and put big security warnings around it until we have that.

I'd also like to figure out how we can have much stronger review policies around places where we execute bash code in the node, by requiring it go through a strict review process, and having specific helpers. I'd also like to put some automation in place to ensure we do not execute shell except through whitelisted paths.

@kubernetes/rh-platform-management @kubernetes/goog-node @liggitt
@smarterclayton
Copy link
Contributor Author

A quick review indicated this is the only potential spot for this in the codebase right now but that could change.

@smarterclayton smarterclayton mentioned this issue Nov 7, 2015
Merged
@pmorie
Copy link
Member

pmorie commented Nov 8, 2015

Touchpoint: containerized exec #13691

Also, if we have to support containerizing the kubelet on pre-1.10, we will need to keep this around :-/

@smarterclayton, do you think that will be a need?

@bgrant0607-nocc bgrant0607-nocc added priority/backlog Higher priority than priority/awaiting-more-evidence. sig/node Categorizes an issue or PR as relevant to SIG Node. labels Nov 13, 2015
@timstclair
Copy link

I think in this specific case you can just use dd of= instead of cat > to avoid needing the shell.

@fejta-bot
Copy link

Issues go stale after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 19, 2017
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle rotten
/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jan 18, 2018
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@tallclair
Copy link
Member

/reopen
/assign

@k8s-ci-robot
Copy link
Contributor

@tallclair: you can't re-open an issue/PR unless you authored it or you are assigned to it.

In response to this:

/reopen
/assign

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tallclair tallclair reopened this Jul 9, 2018
@tallclair tallclair mentioned this issue Jul 9, 2018
Merged
k8s-github-robot pushed a commit that referenced this issue Jul 10, 2018
Merge pull request #65997 from tallclair/writer
4217893 
Automatic merge from submit-queue (batch tested with PRs 66030, 65997). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Remove unused io util writer & volume host GetWriter()

Cleanup unused code.
Fixes #16971

**Release note**:
```release-note
NONE
```

/kind cleanup
/sig storage
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tallclair tallclair

Labels
area/security lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/backlog Higher priority than priority/awaiting-more-evidence. sig/node Categorizes an issue or PR as relevant to SIG Node.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@pmorie @smarterclayton @timstclair @bgrant0607-nocc @k8s-ci-robot @tallclair @fejta-bot