[master] Fix Access to remapped root allows privilege escalation to real root (CVE-2021-21284) #41964
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Generally if we ever need to change perms of a dir, between versions, this ensures the permissions actually change when we think it should change without having to handle special cases if it already existed. Signed-off-by: Brian Goff <cpuguy83@gmail.com> (cherry picked from commit edb62a3) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The remapped root does not need access to this dir. Having this owned by the remapped root opens the host up to an uprivileged user on the host being able to escalate privileges. While it would not be normal for the remapped UID to be used outside of the container context, it could happen. Signed-off-by: Brian Goff <cpuguy83@gmail.com> (cherry picked from commit bfedd27) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Various dirs in /var/lib/docker contain data that needs to be mounted into a container. For this reason, these dirs are set to be owned by the remapped root user, otherwise there can be permissions issues. However, this uneccessarily exposes these dirs to an unprivileged user on the host. Instead, set the ownership of these dirs to the real root (or rather the UID/GID of dockerd) with 0701 permissions, which allows the remapped root to enter the directories but not read/write to them. The remapped root needs to enter these dirs so the container's rootfs can be configured... e.g. to mount /etc/resolve.conf. This prevents an unprivileged user from having read/write access to these dirs on the host. The flip side of this is now any user can enter these directories. Signed-off-by: Brian Goff <cpuguy83@gmail.com> (cherry picked from commit e908cc3) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
AkihiroSuda
approved these changes
Feb 2, 2021
tiborvass
approved these changes
Feb 2, 2021
|
Unrelated failure in https://ci-next.docker.com/public/blue/organizations/jenkins/moby/detail/PR-41964/1/tests |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This forward-ports the changes related to CVE-2021-21284 (Advisory: GHSA-7452-xqpj-6rpc). These changes are already included in the v20.10.3 and v19.03.15 security releases, and this PR forwards those changes to the master branch
Cherry-pick was clean: