Skip to content
This repository has been archived by the owner on Feb 24, 2020. It is now read-only.

documentation: security best practices for volumes #735

Closed
gtirloni opened this issue Apr 7, 2015 · 5 comments
Closed

documentation: security best practices for volumes #735

gtirloni opened this issue Apr 7, 2015 · 5 comments
Labels
help wanted kind/documentation low hanging fruit
Milestone
v1.30.0

Comments

@gtirloni
Copy link

gtirloni commented Apr 7, 2015

To prevent code inside a container from creating objects that could be potential security holes on the host.

Might also show a warning if a container is started and the filesystem used to mount a volume does not have those options ("the filesystem used allows device, executable and suid files to be created, please consider using a separate filesystem with nodev,noexec,nosuid options").
@alban
Copy link
Member

alban commented Apr 7, 2015

Context: the discussion started from this blog post and on the rkt-dev mailing list.

As far as I understand the scenario in the blog post, the command ./sh to become root (and the following whoami) are executed on the host, and not in the Docker container. So in order to block the scenario described above, the options nosuid would need to be set up on the host mountpoints, rather than on the mountpoints in the container's mount namespace. That's not up to Docker or rkt to decide the mount options on the host. And noexec cannot be used on "/" on the host.

The nosuid option does not block the creation of files with the suid bit, but rather ignore the bit when the file is executed. Similarly, nodev does not restrict the ability to create device nodes, but rather block access to them.

So I don't think it is necessary to change the mount options in the rkt mount namespace. (And it would not help)

I like your idea of a warning.

I suggest we also keep this issue open until the security implications of bind mounting a volume from the host to the pod are properly documented. Security best practices in rkt/Documentation/security.md?

  • Use volumes with "readOnly=true" when write access is not necessary
  • When write access is necessary, advise to only share directories that are on a
    filesystem mounted with the options nosetuid, nodev.

@gtirloni
Copy link
Author

gtirloni commented Apr 7, 2015

That makes sense. Thanks a lot @alban!

@jonboulle jonboulle changed the title Default to mounting volumes with nodev, noexec and nosuid options documentation: security best practices for volumes Apr 8, 2015
@jonboulle
Copy link
Contributor

Updated title to capture proposal.

@ibukanov
Copy link

Mounting with nosuid still allows to create setuid binaries, it is just the setuid bit would have no effect. That leaves a possibility of doing cp -a or similar to transfer setuid binary to another location. This is probably insignificant threat, but still emphasizing in the documentation about avoiding root for processes in the containers would be nice.

@alban
Copy link
Member

alban commented Apr 14, 2015

More ideas for security best practices for volumes:

  • it is better if the volume being shared is a full filesystem rather than just a directory in a filesystem (a mounted partition or some file mounted with mount -o loop)
  • avoid sharing directories when tools on the host can move files outside the directory (such as Nautilus moving directories to the wastebasket ~/.local/share/Trash when the user deletes it)

See:
moby/moby#12317

@jonboulle jonboulle added this to the v1+ milestone Jan 15, 2016
@alban alban mentioned this issue May 17, 2016
Closed
@iaguis iaguis mentioned this issue Nov 16, 2017
Merged
@iaguis iaguis modified the milestones: v1+, 1.30.0 Apr 11, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
help wanted kind/documentation low hanging fruit
Projects
None yet
Milestone
v1.30.0
Development

No branches or pull requests
5 participants
@alban @iaguis @ibukanov @jonboulle @gtirloni