hypothetical security issue regarding rootwrap/privsep
Bug #1874298 reported by
Radosław Piliszek
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kolla |
Fix Released
|
High
|
Unassigned |
Bug Description
In Kolla images, mostly source ones, there is a step that chowns /etc/<service> to <service>. This opens a possible attack vector if the affected service allows arbitrary writes under its user (due to some other security flaw in that particular service) which can be used to modify privsep/rootwrap config and allow the service to run any command as root which may be dangerous especially since these containers likely run in fully privileged mode.
Note all sources images are affected, and only some binary.
PoC for fix (very secret): https:/
PS: This is where new engine would shine too, as this is now a bit tedious and error-prone to patch.
Changed in kolla: | |
milestone: | 10.0.0 → 10.0.1 |
milestone: | 10.0.1 → 11.0.0 |
Changed in kolla: | |
milestone: | 11.0.0 → 11.1.0 |
information type: | Private Security → Public Security |
Changed in kolla: | |
status: | Triaged → In Progress |
To post a comment you must log in.
PoC passes, so it seems the correct fix is just to remove all chown calls on /etc