oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: cve request: systemd-machined: information exposure for docker containers

From: Simon McVittie <smcv () debian org>
Date: Thu, 28 Jul 2016 15:42:49 +0100
On Thu, 28 Jul 2016 at 08:34:35 -0400, Daniel J Walsh wrote:

Lennart is wrong when he states that this only effects "user"
containers, any container that registers with
machinectl, will have this information revealed to non privileged user
processes.


*Which* unprivileged user processes?

If the unprivileged user processes are not in a container, they can get a
significant amount of the same information by reading the host's /proc.

If the unprivileged user processes are in a container or other confinement
that prevents them from looking at the host's /proc, then one of the other
things that confinement can/should prevent is unfiltered access to the host
system's D-Bus system bus, which is how machinectl talks to systemd-machined.

Lennart also points out on the systemd bug that the
methods in question can be access-controlled (at your
own risk, the policy language is horrible) by modifying
/etc/dbus-1/system.d/org.freedesktop.machine1.conf. They don't appear to
be mediated by /usr/share/polkit-1/actions/org.freedesktop.machine1.policy
too, but they could be; that would be an enhancement request for systemd
upstream.

I think the bottom line here is that if the author of a container integration
tool chooses to publish information in a central registry (systemd-machined),
then they shouldn't be surprised to find the central registry's security model
getting applied to that information.

    S
Previous By Date Next
Previous By Thread Next

Current thread: