Bug 1306251

Summary: docker: Access builder pod as root
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: ASSIGNED --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bleanhar, dmcphers, dwalsh, jechoi, jialiu, khong, lmeyer
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-10 21:41:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1304689, 1304690    
Bug Blocks: 1306257    

Description Adam Mariš 2016-02-10 12:23:59 UTC 
It was reported that it is possible to access builder pod as root when running docker build. It is observed that any commands can be run as root with 'USER root' in Dockerfile. The restricted scc does not seem to prevent this. 

Builder pods are protected from direct access via 'os rsh' or 'os exec', however, attackers are able to access a builder pod by making the pod initiate a connection and getting a reverse shell in the course of the build process.

Product bug (contains reproducer):

https://bugzilla.redhat.com/show_bug.cgi?id=1304689
Comment 1 Daniel Walsh 2016-02-10 14:16:04 UTC 
If I can upload my own images to the docker builder, I already get root, don't I?

Doesn't docker build run as root?  IE RUN dnf -y install foobar
Comment 2 Kurt Seifried 2016-02-10 21:41:35 UTC 
Spoke with Brenton to confirm this is NOTABUG, misunderstanding of how Docker/builds works.
Comment 3 Jeremy Choi 2016-02-10 23:47:01 UTC 
I don't think this is much related to docker itself. s2i build has a mechanism to prevent execution as root by checking uids. The similar thing might be able to be implemented now that the upstream has a card for this: https://trello.com/c/R9Vb9JDo/857-allow-limiting-dockerfiles-used-in-docker-builds-to-only-have-non-root-numeric-user-instructions