oss-sec mailing list archives
Re: cve request: systemd-machined: information exposure for docker containers
From: Simon McVittie <smcv () debian org>
Date: Thu, 28 Jul 2016 15:42:49 +0100
On Thu, 28 Jul 2016 at 08:34:35 -0400, Daniel J Walsh wrote:
Lennart is wrong when he states that this only effects "user" containers, any container that registers with machinectl, will have this information revealed to non privileged user processes.
*Which* unprivileged user processes? If the unprivileged user processes are not in a container, they can get a significant amount of the same information by reading the host's /proc. If the unprivileged user processes are in a container or other confinement that prevents them from looking at the host's /proc, then one of the other things that confinement can/should prevent is unfiltered access to the host system's D-Bus system bus, which is how machinectl talks to systemd-machined. Lennart also points out on the systemd bug that the methods in question can be access-controlled (at your own risk, the policy language is horrible) by modifying /etc/dbus-1/system.d/org.freedesktop.machine1.conf. They don't appear to be mediated by /usr/share/polkit-1/actions/org.freedesktop.machine1.policy too, but they could be; that would be an enhancement request for systemd upstream. I think the bottom line here is that if the author of a container integration tool chooses to publish information in a central registry (systemd-machined), then they shouldn't be surprised to find the central registry's security model getting applied to that information. S
Current thread:
- cve request: systemd-machined: information exposure for docker containers CAI Qian (Jul 26)
- Re: cve request: systemd-machined: information exposure for docker containers cve-assign (Jul 26)
- Re: Re: cve request: systemd-machined: information exposure for docker containers Christian Rebischke (Jul 27)
- Re: Re: cve request: systemd-machined: information exposure for docker containers Daniel J Walsh (Jul 27)
- Re: Re: cve request: systemd-machined: information exposure for docker containers Christian Rebischke (Jul 27)
- Re: cve request: systemd-machined: information exposure for docker containers Jesse Hertz (Jul 27)
- Re: cve request: systemd-machined: information exposure for docker containers Jessica Frazelle (Jul 27)
- Re: cve request: systemd-machined: information exposure for docker containers Daniel J Walsh (Jul 28)
- Re: cve request: systemd-machined: information exposure for docker containers Simon McVittie (Jul 28)
- Re: cve request: systemd-machined: information exposure for docker containers Daniel J Walsh (Jul 28)
- Re: cve request: systemd-machined: information exposure for docker containers Shiz (Aug 01)
- Re: cve request: systemd-machined: information exposure for docker containers Daniel J Walsh (Aug 03)
- Re: cve request: systemd-machined: information exposure for docker containers CAI Qian (Aug 10)
- Re: cve request: systemd-machined: information exposure for docker containers Daniel J Walsh (Aug 10)
- Re: Re: cve request: systemd-machined: information exposure for docker containers Christian Rebischke (Jul 27)
- Re: cve request: systemd-machined: information exposure for docker containers cve-assign (Jul 26)