Date: Thu, 28 Jul 2016 15:42:49 +0100 From: Simon McVittie <smcv@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: cve request: systemd-machined: information exposure for docker containers On Thu, 28 Jul 2016 at 08:34:35 -0400, Daniel J Walsh wrote: > Lennart is wrong when he states that this only effects "user" > containers, any container that registers with > machinectl, will have this information revealed to non privileged user > processes. *Which* unprivileged user processes? If the unprivileged user processes are not in a container, they can get a significant amount of the same information by reading the host's /proc. If the unprivileged user processes are in a container or other confinement that prevents them from looking at the host's /proc, then one of the other things that confinement can/should prevent is unfiltered access to the host system's D-Bus system bus, which is how machinectl talks to systemd-machined. Lennart also points out on the systemd bug that the methods in question can be access-controlled (at your own risk, the policy language is horrible) by modifying /etc/dbus-1/system.d/org.freedesktop.machine1.conf. They don't appear to be mediated by /usr/share/polkit-1/actions/org.freedesktop.machine1.policy too, but they could be; that would be an enhancement request for systemd upstream. I think the bottom line here is that if the author of a container integration tool chooses to publish information in a central registry (systemd-machined), then they shouldn't be surprised to find the central registry's security model getting applied to that information. S
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ