Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Jul 2016 15:42:49 +0100
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: cve request: systemd-machined: information
 exposure for docker containers

On Thu, 28 Jul 2016 at 08:34:35 -0400, Daniel J Walsh wrote:
> Lennart is wrong when he states that this only effects "user"
> containers, any container that registers with
> machinectl, will have this information revealed to non privileged user
> processes.

*Which* unprivileged user processes?

If the unprivileged user processes are not in a container, they can get a
significant amount of the same information by reading the host's /proc.

If the unprivileged user processes are in a container or other confinement
that prevents them from looking at the host's /proc, then one of the other
things that confinement can/should prevent is unfiltered access to the host
system's D-Bus system bus, which is how machinectl talks to systemd-machined.

Lennart also points out on the systemd bug that the
methods in question can be access-controlled (at your
own risk, the policy language is horrible) by modifying
/etc/dbus-1/system.d/org.freedesktop.machine1.conf. They don't appear to
be mediated by /usr/share/polkit-1/actions/org.freedesktop.machine1.policy
too, but they could be; that would be an enhancement request for systemd
upstream.

I think the bottom line here is that if the author of a container integration
tool chooses to publish information in a central registry (systemd-machined),
then they shouldn't be surprised to find the central registry's security model
getting applied to that information.

    S

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ