-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible container privilege escalation: Docker 1.12.2 does not correctly apply user permissions in containers. #27590
Comments
Hi @phillipma, thanks for bringing this to our attention. We've reproduced this internally and are preparing a fix for a 1.12.3 release. It appears that there was a misconfiguration for ambient capabilities that were brought in with this runc commit, so this is an issue for kernels 4.3+. We've also seen this issue manifest itself in docker for mac here. |
Test for moby#27590 Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Is this a big enough issue to suggest a security advisory? |
Fixed by #27610 |
@vielmetti we requested one (see the changelog https://github.com/docker/docker/pull/27611/files#diff-4ac32a78649ca5bdd8e0ba38b7006a1eR40). |
@thaJeztah Honorable mention for the CVE?:) |
@riyazdf ^^ |
@vielmetti: as @thaJeztah mentioned, we've filed a CVE with MITRE against 1.12.2 for this issue and will prepare a formal security advisory upon release of 1.12.3. @phillipma: we really appreciate your report on this issue, though this issue was the first discovery and so we've filed the CVE with @gtardif as the discoverer. |
This will be fixed in 1.12.3, was reported elsewhere, we are currently On 20 Oct 2016 6:13 p.m., "phillipma" notifications@github.com wrote:
|
@phillipma unfortunately you were too late... Sorry! On 24 Oct 2016 18:31, "phillipma" notifications@github.com wrote:
|
|
@frol can you give the output of |
@justincormack Here you are: Arch Linux:
Ubuntu 16.04
|
Ok, the Ubuntu commit The arch Linux version does look like it needs patching, Can you file an issue with Arch - we do not provide this package. You can use the static binaries we provide from the tarballs, or you should be able to use the |
Sorry there was an error I amended it, running |
Ouch... This seems to be my mistake. I am so sorry, I was running wrong commands on the updated hosts, they didn't include I am sorry for this noise :( Both Arch Linux and Ubuntu are not affected by this bug in 1.12.3. |
@frol no problem Looking at the Arch commit, that is actually an old version of |
Until we can support existing behaviour with `sudo` disable ambient capabilities in runc build. Add tests that non root user cannot use default capabilities, and that capabilities are working as expected. Test for moby#27590 Update runc. Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Description
Docker 1.12.2 does not correctly apply user permissions in containers.
Steps to reproduce the issue:
Describe the results you received:
When a non privileged user is defined in the Dockerfile, the container, as expected, starts as a non privileged user. Even if a non-privileged user is enforced, privileged commands can be executed.
This behavior only happens with Docker version 1.12.2, build bb80604 and and has been tested both with and without setting the -u modifier.
I have also tested Docker 1.12.1 and this issue does not occur:
The issue is reproducible with various image defined in FROM : alpine, centos, rhel, debian...
Describe the results you expected:
Non privileged users inside containers should not be able to access privileged system functions. The following actions were possible as a non privileged user:
Additional information you deem important (e.g. issue happens only occasionally):
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.):
Tested on Kali Linux, Fedora and Ubuntu LTS
The text was updated successfully, but these errors were encountered: