Bug 1306251 - docker: Access builder pod as root
docker: Access builder pod as root
Status: ASSIGNED
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160229,repor...
: Reopened, Security
Depends On: 1304689 1304690
Blocks: 1306257
  Show dependency treegraph
 
Reported: 2016-02-10 07:23 EST by Adam Mariš
Modified: 2016-02-29 18:18 EST (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-10 16:41:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2016-02-10 07:23:59 EST
It was reported that it is possible to access builder pod as root when running docker build. It is observed that any commands can be run as root with 'USER root' in Dockerfile. The restricted scc does not seem to prevent this. 

Builder pods are protected from direct access via 'os rsh' or 'os exec', however, attackers are able to access a builder pod by making the pod initiate a connection and getting a reverse shell in the course of the build process.

Product bug (contains reproducer):

https://bugzilla.redhat.com/show_bug.cgi?id=1304689
Comment 1 Daniel Walsh 2016-02-10 09:16:04 EST
If I can upload my own images to the docker builder, I already get root, don't I?

Doesn't docker build run as root?  IE RUN dnf -y install foobar
Comment 2 Kurt Seifried 2016-02-10 16:41:35 EST
Spoke with Brenton to confirm this is NOTABUG, misunderstanding of how Docker/builds works.
Comment 3 Jeremy Choi 2016-02-10 18:47:01 EST
I don't think this is much related to docker itself. s2i build has a mechanism to prevent execution as root by checking uids. The similar thing might be able to be implemented now that the upstream has a card for this: https://trello.com/c/R9Vb9JDo/857-allow-limiting-dockerfiles-used-in-docker-builds-to-only-have-non-root-numeric-user-instructions

Note You need to log in before you can comment on or make changes to this bug.