Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

daemon: overlay2: remove world writable permission from the lower file #47498

Merged
merged 1 commit into from
Mar 6, 2024
Merged

daemon: overlay2: remove world writable permission from the lower file #47498

merged 1 commit into from
Mar 6, 2024

Conversation

Dzejrou
Copy link
Contributor

@Dzejrou Dzejrou commented Mar 5, 2024
edited by thaJeztah

In de2447c, the creation of the 'lower' file was changed from using os.Create to using ioutils.AtomicWriteFile, which ignores the system's umask. This means that even though the requested permission in the source code was always 0666, it was 0644 on systems with default umask of 0022 prior to de2447c, so the move to AtomicFile potentially increased the file's permissions.

This is not a security issue because the parent directory does not allow writes into the file, but it can confuse security scanners on Linux-based systems into giving false positives.

Reproduction steps:

  1. Install a docker version that contains de2447c (I used docker-24.0.7_ce).
  2. In one terminal start any container (I used alpine/sh for simplicity).
  3. In a second terminal, execute:
germ85:~ # find /var/lib/docker/overlay2/ -type f -perm -222 -ls
   563855      4 -rw-rw-rw-   1 root     root           28 Mar  5 13:58 /var/lib/docker/overlay2/faeafe7e6f15289f0825aeffa2597f0b7ecf5807d7c21d5a9a2d3383090693b7-init/lower
   563878      4 -rw-rw-rw-   1 root     root           57 Mar  5 13:58 /var/lib/docker/overlay2/faeafe7e6f15289f0825aeffa2597f0b7ecf5807d7c21d5a9a2d3383090693b7/lower

With this patch added to the same docker version (24.0.7_ce):

germ85:~ # find /var/lib/docker/overlay2/ -type f -ls | grep lower
   564922      4 -rw-r--r--   1 root     root           28 Mar  5 14:46 /var/lib/docker/overlay2/488b492ef97cfdaa2a531d9e57aa5bd32425ca6bd9154b985eaed89a4fb00dc5-init/lower
   564945      4 -rw-r--r--   1 root     root           57 Mar  5 14:46 /var/lib/docker/overlay2/488b492ef97cfdaa2a531d9e57aa5bd32425ca6bd9154b985eaed89a4fb00dc5/lower

Output from the same system with docker-24.0.5_ce-150000.185.1 (before de2447c was added) installed shows the same behavior as 27.0.7_ce with this patch:

germ85:~ # rpm -qa docker
docker-24.0.5_ce-150000.185.1.x86_64
germ85:~ # find /var/lib/docker/overlay2/ -type f -ls | grep lower
   565976      4 -rw-r--r--   1 root     root           28 Mar  5 14:51 /var/lib/docker/overlay2/d16828005bf086a36eaf4d5d3d4822f652b34bfb0e3323b9c1173dae0d0418e7-init/lower
   565999      4 -rw-r--r--   1 root     root           57 Mar  5 14:51 /var/lib/docker/overlay2/d16828005bf086a36eaf4d5d3d4822f652b34bfb0e3323b9c1173dae0d0418e7/lower

The patch from this PR restores the behavior from 24.0.5_ce where the lower files were not world writable.

@Dzejrou
daemon: overlay2: remove world writable permission from the lower file
cadb124 
In de2447c, the creation of the 'lower' file was changed from using
os.Create to using ioutils.AtomicWriteFile, which ignores the system's
umask. This means that even though the requested permission in the
source code was always 0666, it was 0644 on systems with default
umask of 0022 prior to de2447c, so the move to AtomicFile potentially
increased the file's permissions.

This is not a security issue because the parent directory does not
allow writes into the file, but it can confuse security scanners on
Linux-based systems into giving false positives.

Signed-off-by: Jaroslav Jindrak <dzejrou@gmail.com>
@thaJeztah
Copy link
Member

In de2447c, the creation of the 'lower' file was changed from using os.Create to using ioutils.AtomicWriteFile, which ignores the system's umask.

Hm.. nice find. We should probably consider updating the GoDoc for those functions and call this out explicitly (either that, or make it align with os.Create if the original intent was for it to be a "drop-in" replacement).

@thaJeztah
Copy link
Member

Looks like #46471 was part of v25.0, so I added a cherry-pick label for consideration.

neersighted
neersighted reviewed Mar 5, 2024
View reviewed changes
Copy link
Member

@neersighted neersighted left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me; it does appear that the intended semantics of the ioutils methods are a literal permissions mask not accounting for umask.

Would you mind updating the docstrings in the pkg/ioutils package to make clear how they handle the permissions bits?

@thaJeztah
Copy link
Member

Would you mind updating the docstrings in the pkg/ioutils package to make clear how they handle the permissions bits?

I think it's fine to do that in a separate PR, as it's not directly related, and wouldn't be needed to backport, so separate concern.

@Dzejrou
Copy link
Contributor Author

Dzejrou commented Mar 5, 2024

Looks like #46471 was part of v25.0, so I added a cherry-pick label for consideration.

Would a v24 backport also be possible? That's the version this was reported to me against and what we use (SLES). I can open the PRs for both backports if needed.

@neersighted
Copy link
Member

neersighted commented Mar 5, 2024
edited

There won't be a 24.0 release, unless a maintainer is interested in sponsoring that work (currently Mirantis/Microsoft are maintaining 23.0 and everyone else is on 25.0). If SLES is packaging 24.0, I think you would be better off asking them to take a patch (or an untagged commit) in their packaging/fork.

@Dzejrou
Copy link
Contributor Author

Dzejrou commented Mar 5, 2024

There won't be a 24.0 release, ...

Thanks, that's enough for me (I will have that commit submitted, but we have an upstream-first policy and as such if upstream were to ever release another v24, I'd need to get the patch merged there before submitting it to SLES).

@thaJeztah
Copy link
Member

Would a v24 backport also be possible? That's the version this was reported to me against and what we use (SLES). I can open the PRs for both backports if needed.

Ah! I missed that that patch was backported, so indeed it looks like 23.0 and 24.0 also would have this issue.

thaJeztah
thaJeztah approved these changes Mar 6, 2024
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thaJeztah thaJeztah added this to the 26.0.0 milestone Mar 6, 2024
@thaJeztah thaJeztah merged commit cb8c8e9 into moby:master Mar 6, 2024
140 checks passed
This was referenced Mar 6, 2024
Merged
Merged
Merged
@thaJeztah thaJeztah mentioned this pull request Mar 6, 2024
Closed
@thaJeztah
Copy link
Member

Created a quick tracking ticket for the GoDoc changes in case someone wants to pick up that work;

crazybolillo added a commit to crazybolillo/moby that referenced this pull request Apr 3, 2024
@crazybolillo
Update GoDoc for ioutils on atomic writers
aacd819 
Unlike its stdlib counterparts, AtomicFileWriter does not take into
consideration umask due to its use of chmod. Failure to recognize this
may cause subtle problems like the one described in moby#47498.

Therefore the documentation has been updated to let users know that
umask is not taken into consideration when using AtomicFileWriter.

Closes moby#47516.
crazybolillo added a commit to crazybolillo/moby that referenced this pull request Apr 3, 2024
@crazybolillo
Update GoDoc for ioutils on atomic writers
9f1b60e 
Unlike its stdlib counterparts, AtomicFileWriter does not take into
consideration umask due to its use of chmod. Failure to recognize this
may cause subtle problems like the one described in moby#47498.

Therefore the documentation has been updated to let users know that
umask is not taken into consideration when using AtomicFileWriter.

Closes moby#47516.

Signed-off-by: Antonio Aguilar <antonio@zoftko.com>
@crazybolillo crazybolillo mentioned this pull request Apr 3, 2024
Merged
crazybolillo added a commit to crazybolillo/moby that referenced this pull request Apr 3, 2024
@crazybolillo
Update GoDoc for ioutils on atomic writers
57a12a3 
Unlike its stdlib counterparts, AtomicFileWriter does not take into
consideration umask due to its use of chmod. Failure to recognize this
may cause subtle problems like the one described in moby#47498.

Therefore the documentation has been updated to let users know that
umask is not taken into consideration when using AtomicFileWriter.

Closes moby#47516.

Signed-off-by: Antonio Aguilar <antonio@zoftko.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@neersighted neersighted neersighted approved these changes

@thaJeztah thaJeztah thaJeztah approved these changes

Assignees
No one assigned
Labels
area/storage/overlay process/cherry-picked status/2-code-review
Projects
None yet
Milestone
26.0.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Dzejrou @thaJeztah @neersighted @vvoland