security: apply least-privilege by removing chown on binaries #45
Conversation
It is not needed for dogecoin:dogecoin to have permissions on binaries installed in /usr/local/bin because we allow anyone to execute these anyway. All this does is give running processes like dogecoind access to these files, which the process then can chmod and overwrite. Instead, let root own the files, but keep allowing execution by anyone, which will disallow a process spawned by the dogecoin user to change these files.
patricklodder
force-pushed
the
rework/no-exec-chown
branch
from
3d772f6
to
c260828
Compare
There was a problem hiding this comment.
overwhelmingly ACK! after learning and confirming that running chown, chmod and mv effectively duplicate the targeted file in the underlying layer, this PR shaves off a whopping 16 MB from layer 9 as shown here (not to mention the enhanced security this applies...):
ps -- have a rework of my closed 'buildx-lean' pr that addresses the former issues mentioned while not using buildkit but it's still a draft. hopefully with push later tonight.
|
Missed that setuid depends on this - doing more tests, reverting to draft. |
|
Yes, the intent of this chown and setuid was for |
Which means that it always runs it as the kernel's 1000:1000 (of the HOST) right now, with no way to change it. So if I'm 1001:1001 on the host, I will give wallet access to 1000:1000... This is a big issue. (edit: my /etc/passwd inside the container puts dogecoin at 1000, not 1001 as I misread earlier, so I changed the uid:gid mentioned) |
|
My main host user is uid 1000. I create a new user I missed something with Docker permissions and I do not find an appropriate explanation... |
|
I'm closing this, will raise an issue. |
I was triggered by the test shown in #33 because
chowning files under /usr/local to be owned by a user is not a good practice.It is not needed for dogecoin:dogecoin to have permissions on binaries installed in /usr/local/bin because we allow anyone to
execute these anyway through the
chmod 4555. All thechowndirective really does is give running processes like dogecoind access to these files, which the process then canchmodand subsequently overwrite.Instead, let root own the files, but keep allowing execution by anyone, which will disallow a process spawned by the dogecoin user to change these files - this reduces potential impact of future / unknown remote code execution vulnerabilities in Dogecoin Core.
Before this PR, a process running as
dogecoin:dogecoininside the container could for example perform the equivalent ofchmod 755 /usr/local/bin/dogecoin-cli && echo "#!/bin/bash\necho je suis un virus" > /usr/local/bin/dogecoin-cli. After this PR, it cannot.