Bug 1791534

Summary: OpenShift: containers modify /etc/passwd group writable
Product: [Other] Security Response Reporter: Mark Cooper <mcooper>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abenaiss, bmontgom, eparis, jburrell, jlanford, jokerman, nstielau, security-response-team, sponnaga, tflannag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-20 00:42:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1776664    

Description Mark Cooper 2020-01-16 04:58:59 UTC 
A possible privilege escalation has been found in containers which modify the permissions of their local /etc/passwd.

Within a container by default a user is assigned to the root group:
    sh-4.2$ id
    uid=1001(default) gid=0(root) groups=0(root)

When this is combined with a loosening of permissions on /etc/passwd, it is possible for any user in the container to modify the passwd file and assume root.


For example: https://github.com/operator-framework/presto/blob/master/Dockerfile.rhel#L75
    chmod -R 774 /etc/passwd $JAVA_HOME/lib/security/cacerts && 

To then add a new root user (in a contrived example):
    oc rsh presto
    echo test::0:0:/root:/bin/bash >> /etc/passwd
    su test


Additionally, as a result of OpenShift not implementing user namespaces as of yet, if root is achieved in the container - root is technically achieved on the host.

It is our understanding that this chmod of /etc/passwd has have become necessary to support arbitrary user ids as per this document:
https://docs.openshift.com/container-platform/4.2/openshift_images/create-images.html#images-create-guide-openshift_create-images 
The document does state, "that there are no security concerns with this arrangement", however from the above example we can see that this is not true.


It should also be noted however, that containers in OpenShift do run under a restricted SCC context by default, with CAP_SETUID and CAP_SETGID both dropped. This increases the difficulty significantly to achieve access to the host directly. Even with protections like this (including SELinux), this technique provides a relatively easy first step in achieving a container escape and is still considered an escalation in privileges.


The following containers so far have been identified to modify /etc/passwd:
 - hadoop
 - hive
 - jenkins-slave-base-rhel7
 - openshift-enterprise-apb-base
 - openshift-enterprise-apb
 - openshift-enterprise-mediawiki
 - openshift-enterprise-tests
 - openshift-jenkins-2
 - ose-metering-ansible-operator
 - presto
 - sso73-openshift
Comment 2 Mark Cooper 2020-01-20 04:32:39 UTC 
Overall the following 17 OpenShift containers contain the incorrect /etc/passwd permissions (some are built from the same repo):

* hadoop-container
* hive-container
* jenkins-slave-base-rhel7-container
* openshift-enterprise-ansible-operator-container
* openshift-enterprise-ansible-service-broker-operator-container
* openshift-enterprise-apb-base-container
* openshift-enterprise-apb-tools-container
* openshift-enterprise-mariadb-apb
* openshift-enterprise-mediawiki-apb
* openshift-enterprise-mediawiki-container
* openshift-enterprise-mysql-apb
* openshift-enterprise-postgresql-apb
* openshift-enterprise-template-service-broker-operator-container
* openshift-enterprise-tests-container
* ose-metering-ansible-operator-container
* presto-container

* openshift-istio-kiali-rhel7-operator-container
Comment 7 Mark Cooper 2020-01-21 06:45:23 UTC 
Unembargoed.

Have filed separate flaws for each container listed with a separate CVE.
Comment 9 Mark Cooper 2020-01-21 07:35:31 UTC 
Flaws filed for each container:

* hadoop-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793278
* hive-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793279
* jenkins-slave-base-rhel7-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793282
* openshift-enterprise-ansible-operator-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793277
* openshift-enterprise-ansible-service-broker-operator-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793283
* openshift-enterprise-apb-base-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793286
* openshift-enterprise-apb-tools-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793302
* openshift-enterprise-mariadb-apb - https://bugzilla.redhat.com/show_bug.cgi?id=1793289
* openshift-enterprise-mediawiki-apb - https://bugzilla.redhat.com/show_bug.cgi?id=1793296
* openshift-enterprise-mediawiki-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793297
* openshift-enterprise-mysql-apb - https://bugzilla.redhat.com/show_bug.cgi?id=1793299
* openshift-enterprise-postgresql-apb - https://bugzilla.redhat.com/show_bug.cgi?id=1793301
* openshift-enterprise-template-service-broker-operator-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793304
* openshift-enterprise-tests-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793287
* ose-metering-ansible-operator-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793284
* presto-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793281
* openshift-istio-kiali-rhel7-operator-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793305
Comment 11 Dhananjay Arunesh 2020-01-24 09:36:13 UTC 
Acknowledgments:

Name: Joseph LaMagna-Reiter (SPR Inc.)
Comment 13 Dave Baker 2020-12-04 19:27:00 UTC 
Noting for future reference, openshift4/ose-baremetal-installer-rhel8 also suffers from these weak permissions:

https://catalog.redhat.com/software/containers/openshift4/ose-baremetal-installer-rhel8/5d94b782d70cc50ebeaa5950?container-tabs=dockerfile
- line 25:  chmod g+w /etc/passwd

Seen here in container layer content:
$ podman save openshift4/ose-baremetal-installer-rhel8  | tar -xvf -
...
$ tar vtf 3e1bc69229c4f2c3c631d68524091f7f2452e5f3fb86b3f9967e201785051d23.tar | grep etc/passwd
-rw-rw-r-- 0/0             765 2020-11-18 08:55 etc/passwd
-rw-r--r-- 0/0             703 2020-10-30 06:09 etc/passwd-


I'll clone one of the existing BZs for this container image shortly.