Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

enforce the security switch "disable the use of bind mounts" when set via API #4106

Closed
ncresswell opened this issue Jul 27, 2020 · 5 comments · Fixed by #4110
Closed

enforce the security switch "disable the use of bind mounts" when set via API #4106

ncresswell opened this issue Jul 27, 2020 · 5 comments · Fixed by #4110
Labels
kind/enhancement Applied to Feature Requests security
Milestone

Comments

@ncresswell
Copy link
Member

Right now we allow the Portainer administrator to "disable the use of bind mounts by non-admins", which is purely a front-end restriction, and is more of a "hide the capability". This feature stops using from selecting to use bind mounts in the container / service creation views, and stops the use of bind mounts when writing stacks. However, if a skilled user was to craft an API request to Portainer that included bind mounts, it would succeed as there is no backend enforcement.

To ensure security, we should enforce this restriction via the backend so that it cannot be used through the Portainer API.

@deviantony deviantony added kind/enhancement Applied to Feature Requests priority/high Core team priority security labels Jul 27, 2020
@deviantony deviantony added this to the 2.0 milestone Jul 27, 2020
@chiptus chiptus self-assigned this Jul 27, 2020
@chiptus
Copy link
Contributor

chiptus commented Jul 27, 2020

stack with the following file failed creation because of bind-mounts disabled for non-admin

version: "2"

services:
  web:
    image: nginx:latest
    volumes:
      - /temp:/temp1

I guess this is only for containers

@chiptus
Copy link
Contributor

chiptus commented Jul 27, 2020

anyway, I'm testing everything to be sure. you can see my tests at #4110 (comment)

@deviantony
Copy link
Member

deviantony commented Jul 27, 2020

@chiptus should also be enforced for Swarm services.

@deviantony
Copy link
Member

Re-opening this issue to be backported into 1.24.2

@deviantony
Copy link
Member

Closed via #4467

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/enhancement Applied to Feature Requests security
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants