New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't allow an edge service to bind root-privileged files/dirs from the host #960
Comments
@bmpotter Should we fail the container bring up or should we bring it up without these invalid bings? |
@bmpotter there is |
If they have invalid binds, fail the container bring up. One of the reasons for also doing this check in No, i don't think |
I have added support to fail the container bring up if certain keywords are detected. So far I have docker.sock and /etc. Is there a list of certain directories we want to restrict? I am thinking the list of directories might differ based on what OS our code is running on. |
Nadim, Yes, it will differ. The way to handle this is to not have a list of dirs, but instead look at the permissions of the dir or file. For example:
Since there are other typical system usernames (bin, daemon, sys, ...) in addition to root, and we don't even know if regular user-owned dirs/files should be accessible by edge services, because they don't have any host system creds, I don't think it is worth checking the owner and group of the dir/file. Please survey all of the new hire samples to get an idea if this new restriction is going to be a problem, and let's discuss if it is. As glen has noted, this won't catch cases in which the service bind mounts host dir /foo which is world readable, but host dir /foo/bar is not, but those cases are rare, so the above is a lot better than doing nothing. |
Dave to update this issue. |
There are currently a few serious security holes in the sandbox that anax puts an edge service into. By the service putting a few specific files/dirs in the
deployment
binds
array in its service def, it can do things on the edge host it shouldn't be allowed to do:/var/run/docker.sock
: if the service can start any docker container, it essentially has root access to the host. See If you have access to docker run you have root access on the host moby/moby#1655The checks should be done for both
hzn dev service start
andhzn register
.The text was updated successfully, but these errors were encountered: