Bug 1665077
Summary: | setuid/setgid binaries in Docker running as a non priv user with no capabilities, may still create root owned files outside container on (bind-)mounted volume | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Oliver Falk <ofalk> |
Component: | docker | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED WONTFIX | QA Contact: | atomic-bugs <atomic-bugs> |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 7.6 | CC: | amurdaca, dornelas, dwalsh, lsm5, pasik, sgrubb, tsweeney |
Target Milestone: | rc | Keywords: | Extras, Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-06-09 22:12:49 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1186913 |
Comment 2
Daniel Walsh
2019-01-10 13:54:44 UTC
Hi Daniel! Well, no, the binary inside (bash in that case) is setuid: I have no name!@967ff252e80d:/$ ls -ahl /bash -rwsrwxrwx. 1 root root 1.1M Dec 7 20:10 /bash I have no name!@967ff252e80d:/$ /bash -p bash-4.4# id uid=99 gid=99 euid=0(root) groups=99 I've asked the customer to check the ps on his system. On my system: # ps auxw|grep 'bash -p'|grep -v grep root 27913 0.0 0.0 18124 1932 pts/1 S+ 15:39 0:00 /bash -p # pscap |grep 27913 # That the basic point. How can we avoid setuid binaries inside a container to become "root" and create root-owned files (outside, via the bind-mounted volume). The ps command above shows the process within the container runing as root on the host? # ps auxw|grep 'bash -p'|grep -v grep root 27913 0.0 0.0 18124 1932 pts/1 S+ 15:39 0:00 /bash -p That would be wrong docker run -d fedora sleep 1000 ps auxw|grep sleep |grep -v grep The sleep should be running as Docker root, if it is running as root then the container is not running in a user namespace. You can also execute something like docker run -d fedora cat /proc/self/uid_map And see if there is a mapping. If the process is running in a Usernamespace and can create a setuid files on the host, then this is a bug in the kernel. That means the docker daemon is not running in user namespace. Tell them to use podman. :^) Are they actually saying that a user running as non root can create a setuid file? Yes getting setuid from --cap-drop=all should not happen. If you run a docker container with --cap-drop-call what does /proc/self/status capsbnd show? Giving a user access to the docker socket, is worse then giving them sudo without password. http://www.projectatomic.io/blog/2014/09/granting-rights-to-users-to-use-docker-in-fedora/ Talk to this customer about podman. That should prevent you from gaining any privs. We have no plans to ship another version of Docker at this time. RHEL7 is in final support stages where only security fixes will get released. Customers should move to use Podman which is available starting in RHEL 7.6. |