Bug 1274601 - Remote shell and exec is allowed on privileged pods
Summary: Remote shell and exec is allowed on privileged pods
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Node
Version: 3.0.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Paul Weil
QA Contact: Jianwei Hou
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-23 06:20 UTC by Jianwei Hou
Modified: 2015-11-23 14:25 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-23 14:25:39 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Jianwei Hou 2015-10-23 06:20:00 UTC
Description of problem:
This is a regression of bug 1255022. Remote shell and exec is allowed on privileged pods

Version-Release number of selected component (if applicable):
openshift v3.0.2.902
kubernetes v1.2.0-alpha.1-1107-g4c8e6f4
etcd 2.1.2

How reproducible:
Always

Steps to Reproduce:
1. Edit scc to allow privileged pods
2. oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/storage/nfs/nfs-server.yaml
3. oc rsh nfs-server
4. oc exec nfs-server ls

Actual results:
Step 3 and 4 are both successful

Expected results:
Step 3 and 4 should fail because the container is prvileged

Additional info:

Comment 2 Paul Weil 2015-10-23 12:42:07 UTC
This was changed in https://github.com/openshift/origin/pull/4755 to allow someone who has permissions to create the pod to exec into it.  If, by SCC permissions, you could create the pod you're trying to reach you are allowed to use it.

This has replaced the blanket denial: https://github.com/openshift/origin/pull/4755/files#diff-05523003a782d7b3b61c2608a29dfb39

Comment 3 Jianwei Hou 2015-10-26 05:49:02 UTC
Thank you. So this is working correctly as we expect. I was able to exec/rsh to a pod I created.

Comment 4 Brenton Leanhardt 2015-11-23 14:25:39 UTC
This fix is available in OpenShift Enterprise 3.1.


Note You need to log in before you can comment on or make changes to this bug.