Bug 1791534 - OpenShift: containers modify /etc/passwd group writable
Summary: OpenShift: containers modify /etc/passwd group writable
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 1776664
TreeView+ depends on / blocked
Reported: 2020-01-16 04:58 UTC by Mark Cooper
Modified: 2020-02-20 00:55 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-02-20 00:42:48 UTC

Attachments (Terms of Use)

Description Mark Cooper 2020-01-16 04:58:59 UTC
A possible privilege escalation has been found in containers which modify the permissions of their local /etc/passwd.

Within a container by default a user is assigned to the root group:
    sh-4.2$ id
    uid=1001(default) gid=0(root) groups=0(root)

When this is combined with a loosening of permissions on /etc/passwd, it is possible for any user in the container to modify the passwd file and assume root.

For example: https://github.com/operator-framework/presto/blob/master/Dockerfile.rhel#L75
    chmod -R 774 /etc/passwd $JAVA_HOME/lib/security/cacerts && 

To then add a new root user (in a contrived example):
    oc rsh presto
    echo test::0:0:/root:/bin/bash >> /etc/passwd
    su test

Additionally, as a result of OpenShift not implementing user namespaces as of yet, if root is achieved in the container - root is technically achieved on the host.

It is our understanding that this chmod of /etc/passwd has have become necessary to support arbitrary user ids as per this document:
The document does state, "that there are no security concerns with this arrangement", however from the above example we can see that this is not true.

It should also be noted however, that containers in OpenShift do run under a restricted SCC context by default, with CAP_SETUID and CAP_SETGID both dropped. This increases the difficulty significantly to achieve access to the host directly. Even with protections like this (including SELinux), this technique provides a relatively easy first step in achieving a container escape and is still considered an escalation in privileges.

The following containers so far have been identified to modify /etc/passwd:
 - hadoop
 - hive
 - jenkins-slave-base-rhel7
 - openshift-enterprise-apb-base
 - openshift-enterprise-apb
 - openshift-enterprise-mediawiki
 - openshift-enterprise-tests
 - openshift-jenkins-2
 - ose-metering-ansible-operator
 - presto
 - sso73-openshift

Comment 2 Mark Cooper 2020-01-20 04:32:39 UTC
Overall the following 17 OpenShift containers contain the incorrect /etc/passwd permissions (some are built from the same repo):

* hadoop-container
* hive-container
* jenkins-slave-base-rhel7-container
* openshift-enterprise-ansible-operator-container
* openshift-enterprise-ansible-service-broker-operator-container
* openshift-enterprise-apb-base-container
* openshift-enterprise-apb-tools-container
* openshift-enterprise-mariadb-apb
* openshift-enterprise-mediawiki-apb
* openshift-enterprise-mediawiki-container
* openshift-enterprise-mysql-apb
* openshift-enterprise-postgresql-apb
* openshift-enterprise-template-service-broker-operator-container
* openshift-enterprise-tests-container
* ose-metering-ansible-operator-container
* presto-container

* openshift-istio-kiali-rhel7-operator-container

Comment 7 Mark Cooper 2020-01-21 06:45:23 UTC

Have filed separate flaws for each container listed with a separate CVE.

Comment 9 Mark Cooper 2020-01-21 07:35:31 UTC
Flaws filed for each container:

* hadoop-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793278
* hive-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793279
* jenkins-slave-base-rhel7-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793282
* openshift-enterprise-ansible-operator-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793277
* openshift-enterprise-ansible-service-broker-operator-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793283
* openshift-enterprise-apb-base-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793286
* openshift-enterprise-apb-tools-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793302
* openshift-enterprise-mariadb-apb - https://bugzilla.redhat.com/show_bug.cgi?id=1793289
* openshift-enterprise-mediawiki-apb - https://bugzilla.redhat.com/show_bug.cgi?id=1793296
* openshift-enterprise-mediawiki-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793297
* openshift-enterprise-mysql-apb - https://bugzilla.redhat.com/show_bug.cgi?id=1793299
* openshift-enterprise-postgresql-apb - https://bugzilla.redhat.com/show_bug.cgi?id=1793301
* openshift-enterprise-template-service-broker-operator-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793304
* openshift-enterprise-tests-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793287
* ose-metering-ansible-operator-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793284
* presto-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793281
* openshift-istio-kiali-rhel7-operator-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793305

Comment 11 Dhananjay Arunesh 2020-01-24 09:36:13 UTC

Name: Joseph LaMagna-Reiter (SPR Inc.)

Note You need to log in before you can comment on or make changes to this bug.