Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability of sudo_session_enabled implementation #2151

Closed
jopemachine opened this issue May 16, 2024 · 1 comment · Fixed by #2162
Closed

Security vulnerability of sudo_session_enabled implementation #2151

jopemachine opened this issue May 16, 2024 · 1 comment · Fixed by #2162
Assignees
@jopemachine
Labels
area:security Security issue. comp:agent Related to Agent component type:bug Reports about that are not working
Milestone
23.09

Comments

@jopemachine
Copy link
Member

What Operating System(s) are you seeing this problem on?

Linux (x86-64)

Backend.AI version

23.09

Describe the bug

Passwordless sudo was implemented in #1530.

But however, this has a security vulnerability in the following situations.

To Reproduce

Here, we assume that sudo.enabled_sudo_session is set to False and the "python" image is to contain the sudo binary.

./backend.ai session create -e SUDO_SESSION_ENABLED=1 python

Expected Behavior

Since sudo_session_enabled is set to False, the expected behavior is that sudo should not be available.

Anything else?

In the current implementation, passing environment variables allows sudo to be used.
@jopemachine jopemachine added type:bug Reports about that are not working area:security Security issue. labels May 16, 2024
@jopemachine jopemachine linked a pull request May 16, 2024 that will close this issue
fix: Security vulnerability for sudo_session_enabled #2150
Closed
3 tasks
@jopemachine jopemachine added this to the 23.09 milestone May 16, 2024
@jopemachine jopemachine self-assigned this May 16, 2024
@jopemachine jopemachine added the comp:agent Related to Agent component label May 16, 2024
This was referenced May 16, 2024
Closed
Merged
kyujin-cho pushed a commit that referenced this issue May 27, 2024
@jopemachine
fix: Security vulnerability of sudo session enablement (#2162)
757f081 
<!--
Please precisely, concisely, and concretely describe what this PR changes, the rationale behind codes,
and how it affects the users and other developers.
-->

Fixes #2151, follow-up of #1530.

This PR fixes the security vulnerability in `sudo_session_enabled` that was implemented using environment variables.

**Checklist:** (if applicable)

- [x] Milestone metadata specifying the target backport version
- [x] Mention to the original issue
- [x] Installer updates including:
  - New mandatory config options
lablup-octodog pushed a commit that referenced this issue May 27, 2024
@jopemachine
fix: Security vulnerability of sudo session enablement (#2162)
c1dcae5 
<!--
Please precisely, concisely, and concretely describe what this PR changes, the rationale behind codes,
and how it affects the users and other developers.
-->

Fixes #2151, follow-up of #1530.

This PR fixes the security vulnerability in  that was implemented using environment variables.

**Checklist:** (if applicable)

- [x] Milestone metadata specifying the target backport version
- [x] Mention to the original issue
- [x] Installer updates including:
  - New mandatory config options

Backported-from: main (24.09)
Backported-to: 24.03
Backport-of: 2162
lablup-octodog pushed a commit that referenced this issue May 27, 2024
@jopemachine
fix: Security vulnerability of sudo session enablement (#2162)
e190df3 
<!--
Please precisely, concisely, and concretely describe what this PR changes, the rationale behind codes,
and how it affects the users and other developers.
-->

Fixes #2151, follow-up of #1530.

This PR fixes the security vulnerability in  that was implemented using environment variables.

**Checklist:** (if applicable)

- [x] Milestone metadata specifying the target backport version
- [x] Mention to the original issue
- [x] Installer updates including:
  - New mandatory config options

Backported-from: main (24.09)
Backported-to: 23.09
Backport-of: 2162
@jopemachine
Copy link
Member Author

Closed as resolved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jopemachine jopemachine

Labels
area:security Security issue. comp:agent Related to Agent component type:bug Reports about that are not working
Projects
None yet
Milestone
23.09
1 participant
@jopemachine