From 5b1da017988c987fc68b55d1f45b5d2676474ce1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Piliszek?= Date: Mon, 29 Aug 2022 09:55:59 +0000 Subject: [PATCH] Fix CVE-2022-38060 Closes-Bug: #1985784 Change-Id: I66476a2b396e2cbe41e68ac51f57aae1806b2ed8 --- doc/source/admin/kolla_api.rst | 22 ++++--------------- docker/base/set_configs.py | 19 ++-------------- docker/base/sudoers | 2 ++ .../notes/bug-1985784-59df54a10a004551.yaml | 16 ++++++++++++++ tests/test_set_config.py | 18 --------------- 5 files changed, 24 insertions(+), 53 deletions(-) create mode 100644 releasenotes/notes/bug-1985784-59df54a10a004551.yaml diff --git a/doc/source/admin/kolla_api.rst b/doc/source/admin/kolla_api.rst index 455578212..775dcad9c 100644 --- a/doc/source/admin/kolla_api.rst +++ b/doc/source/admin/kolla_api.rst @@ -93,27 +93,17 @@ Here is an example configuration file: Passing the configuration file to the container ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The configuration can be either passed via the ``KOLLA_CONFIG`` environment -variable or as a file bind-mounted into the container. When bind-mounting the -configuration file, the ``KOLLA_CONFIG_FILE`` environment variable controls -where the file is located in the container, the default path being +The configuration to the container can be passed through a dedicated path: ``/var/lib/kolla/config_files/config.json``. - -Passing the configuration file as environment variable: - -.. code-block:: console - - docker run -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS \ - -e KOLLA_CONFIG='{ "command": "...", "permissions": [ { "path": "...", } ] }' \ - kolla-image +It is advised to ensure this path is mounted read-only for security reasons. Mounting the configuration file in the container: .. code-block:: console docker run -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS \ - -e KOLLA_CONFIG_FILE=/config.json \ - -v /path/to/config.json:/config.json kolla-image + -v /path/to/config.json:/var/lib/kolla/config_files/config.json:ro \ + kolla-image .. _kolla_api_environment_variables: @@ -126,10 +116,6 @@ Variables to pass to the containers The Kolla containers also understand some environment variables to change their behavior at runtime: -* **KOLLA_CONFIG**: load kolla config from the environment, takes precedence - over ``KOLLA_CONFIG_FILE``. -* **KOLLA_CONFIG_FILE**: path to kolla json config file, defaults to - ``/var/lib/kolla/config_files/config.json``. * **KOLLA_CONFIG_STRATEGY** (required): Defines how the :ref:`kolla_start script ` copies the configuration file. Must be one of: diff --git a/docker/base/set_configs.py b/docker/base/set_configs.py index 1d1fc48ae..559f1c0f3 100644 --- a/docker/base/set_configs.py +++ b/docker/base/set_configs.py @@ -272,21 +272,8 @@ def validate_source(data): def load_config(): - def load_from_env(): - config_raw = os.environ.get("KOLLA_CONFIG") - if config_raw is None: - return None - - # Attempt to read config - try: - return json.loads(config_raw) - except ValueError: - raise InvalidConfig('Invalid json for Kolla config') - def load_from_file(): - config_file = os.environ.get("KOLLA_CONFIG_FILE") - if not config_file: - config_file = '/var/lib/kolla/config_files/config.json' + config_file = '/var/lib/kolla/config_files/config.json' LOG.info("Loading config file at %s", config_file) # Attempt to read config file @@ -300,9 +287,7 @@ def load_config(): raise InvalidConfig( "Could not read file %s: %r" % (config_file, e)) - config = load_from_env() - if config is None: - config = load_from_file() + config = load_from_file() LOG.info('Validating config file') validate_config(config) diff --git a/docker/base/sudoers b/docker/base/sudoers index da9c04c30..9b2bfb8dc 100644 --- a/docker/base/sudoers +++ b/docker/base/sudoers @@ -6,6 +6,8 @@ # anyone in the kolla group may sudo -E (set the environment) Defaults: %kolla setenv +Defaults secure_path="/var/lib/kolla/venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + # root may run any commands via sudo as the network seervice user. This is # neededfor database migrations of existing services which have not been # converted to run as a non-root user, but instead do that via sudo -E glance diff --git a/releasenotes/notes/bug-1985784-59df54a10a004551.yaml b/releasenotes/notes/bug-1985784-59df54a10a004551.yaml new file mode 100644 index 000000000..5361cd528 --- /dev/null +++ b/releasenotes/notes/bug-1985784-59df54a10a004551.yaml @@ -0,0 +1,16 @@ +--- +security: + - | + Fixes CVE-2022-38060, a sudo privilege escalation vulnerability. + `LP#1985784 `__ +upgrade: + - | + To fix CVE-2022-38060, support for KOLLA_CONFIG and KOLLA_CONFIG_FILE + environment variables in kolla-built containers has been dropped. + Now, only the single trusted path of + ``/var/lib/kolla/config_files/config.json`` will be utilised for loading + container config. + We believe this is a reasonable tradeoff as these environment variables + were not used by any known downstream and potential users in the wild + can easily adapt as this does not limit the functionality per se, only + making it stricter as to where the config can come from. diff --git a/tests/test_set_config.py b/tests/test_set_config.py index ca3a6bb95..e74376c60 100644 --- a/tests/test_set_config.py +++ b/tests/test_set_config.py @@ -59,24 +59,6 @@ class LoadFromFile(base.BaseTestCase): mock.call().__exit__(None, None, None)], mo.mock_calls) -class LoadFromEnv(base.BaseTestCase): - - def test_load_ok(self): - in_config = json.dumps({'command': '/bin/true', - 'config_files': {}}) - - mo = mock.mock_open() - with mock.patch.object(set_configs, 'open', mo): - with mock.patch.dict('os.environ', {'KOLLA_CONFIG': in_config}): - config = set_configs.load_config() - set_configs.copy_config(config) - self.assertEqual([mock.call('/run_command', 'w+'), - mock.call().__enter__(), - mock.call().write('/bin/true'), - mock.call().__exit__(None, None, None)], - mo.mock_calls) - - FAKE_CONFIG_FILES = [ set_configs.ConfigFile( '/var/lib/kolla/config_files/bar.conf', -- 2.30.2