-
-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[security] Monitoring docker containers #4783
Comments
@CommanderStorm as discussed last week |
I think Portainer did that in the same way.
May need a reason why Portainer is ok to do that, but Uptime Kuma cannot. |
Portainer, Yacht, etc aren't really okay to do that either and I'm proxying them, too. However...
If an app would ask you to enter your root password or supply an ssh key for a root shell, you would think twice before doing so. People don't realize that the very same applies to mounting the docker socket. No offense man, you're doing great otherwise! |
I don't know how to set up this proxying. Tip You can reduce your attack surface ... => I think this would be valuable. You seem to have to have the whole thing figured out. Could you provide a PR to enhance https://github.com/louislam/uptime-kuma-wiki/blob/master/How-to-Monitor-Docker-Containers.md? |
The API call currently used - GET /containers/{id}/json exposes environment variables and a whole lot more. uptime-kuma/server/model/monitor.js Line 724 in 88b7c04
Line 72 in 88b7c04
Ideally, the use of docker API within Uptime Kuma would be restricted to GET /_ping to check the connection parameters and a sanitized GET /containers/{name}/json. Happy to contribute a fully configured and locked down proxy container with setup information. |
Try this, even if you're already proxying: It includes detailed information, including labels used to provide passwords for auth middlewares, network information, credentials passed in commands, credentials used for CIFS/NAS mounts, mount paths, exact version information, etc. There currently isn't a docker API that exposes less information. |
This should do it: https://github.com/thielj/docker-health-proxy/pkgs/container/docker-health-proxy It currently leaves the Line 72 in 88b7c04
If you agree, I suggest deferring an update of the docs until |
I've built the final version (v1.0.0). It requires If you want to test against |
Regarding the docker remote setups you're recommending as "secure"... |
📑 I have found these related issues/pull requests
🛡️ Security Policy
Description
Access to the docker socket is almost equivalent to a root shell, no matter if the socket is mounted read-only or made available through a (SSL) network connection. Instead of the procedure suggested in the docs, a much better approach would be to expose the socket through a proxy that makes only the necessary read-only API available to Uptimee Kuma through an internal docker network.
I'm using Tecnativa/docker-socket-proxy for that purpose. See the docs there.
I'm deliberately reporting this as a "documentation bug" and not a direct vulnerability to Uptime Kuma as it requires the host system or ANY container or any other system having access to the exposed socket to be compromised. However, suggesting this to users who are probably unaware of the implications is simply bad practice as it allows an attacker to immediately acquire root privileges.
👟 Reproduction steps
docker -H tcp://127.0.0.1 run -v '/:/mnt' busybox touch /mnt/test ls -al /test
👀 Expected behavior
n/a
😓 Actual Behavior
n/a
🐻 Uptime-Kuma Version
all versions
💻 Operating System and Arch
Any Linux
🌐 Browser
n/a
🖥️ Deployment Environment
Monitoring docker containers
📝 Relevant log output
No response
The text was updated successfully, but these errors were encountered: