Lock down docker root dir perms.
Do not use 0701 perms.
0701 dir perms allows anyone to traverse the docker dir.
It happens to allow any user to execute, as an example, suid binaries
from image rootfs dirs because it allows traversal AND critically
container users need to be able to do execute things.
0701 on lower directories also happens to allow any user to modify
things in, for instance, the overlay upper dir which neccessarily
has 0755 permissions.
This changes to use 0710 which allows users in the group to traverse.
In userns mode the UID owner is (real) root and the GID is the remapped
root's GID.
This prevents anyone but the remapped root to traverse our directories
(which is required for userns with runc).
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit ef7237442147441a7cadcda0600be1186d81ac73)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 93ac040bf0
)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
parent
306fa44b7c
commit
03f1c3d78f
|
@ -458,5 +458,5 @@ func (daemon *Daemon) setupContainerMountsRoot(c *container.Container) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
return idtools.MkdirAllAndChown(p, 0701, idtools.CurrentIdentity())
|
return idtools.MkdirAllAndChown(p, 0710, idtools.Identity{UID: idtools.CurrentIdentity().UID, GID: daemon.IdentityMapping().RootPair().GID})
|
||||||
}
|
}
|
||||||
|
|
|
@ -171,10 +171,11 @@ func (daemon *Daemon) create(opts createOpts) (retC *container.Container, retErr
|
||||||
}
|
}
|
||||||
ctr.RWLayer = rwLayer
|
ctr.RWLayer = rwLayer
|
||||||
|
|
||||||
if err := idtools.MkdirAndChown(ctr.Root, 0701, idtools.CurrentIdentity()); err != nil {
|
current := idtools.CurrentIdentity()
|
||||||
|
if err := idtools.MkdirAndChown(ctr.Root, 0710, idtools.Identity{UID: current.UID, GID: daemon.IdentityMapping().RootPair().GID}); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
if err := idtools.MkdirAndChown(ctr.CheckpointDir(), 0700, idtools.CurrentIdentity()); err != nil {
|
if err := idtools.MkdirAndChown(ctr.CheckpointDir(), 0700, current); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -845,7 +845,10 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
|
||||||
}
|
}
|
||||||
|
|
||||||
daemonRepo := filepath.Join(config.Root, "containers")
|
daemonRepo := filepath.Join(config.Root, "containers")
|
||||||
if err := idtools.MkdirAllAndChown(daemonRepo, 0701, idtools.CurrentIdentity()); err != nil {
|
if err := idtools.MkdirAllAndChown(daemonRepo, 0710, idtools.Identity{
|
||||||
|
UID: idtools.CurrentIdentity().UID,
|
||||||
|
GID: rootIDs.GID,
|
||||||
|
}); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1224,21 +1224,21 @@ func setupDaemonRoot(config *config.Config, rootDir string, remappedRoot idtools
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
id := idtools.Identity{UID: idtools.CurrentIdentity().UID, GID: remappedRoot.GID}
|
||||||
|
// First make sure the current root dir has the correct perms.
|
||||||
|
if err := idtools.MkdirAllAndChown(config.Root, 0710, id); err != nil {
|
||||||
|
return errors.Wrapf(err, "could not create or set daemon root permissions: %s", config.Root)
|
||||||
|
}
|
||||||
|
|
||||||
// if user namespaces are enabled we will create a subtree underneath the specified root
|
// if user namespaces are enabled we will create a subtree underneath the specified root
|
||||||
// with any/all specified remapped root uid/gid options on the daemon creating
|
// with any/all specified remapped root uid/gid options on the daemon creating
|
||||||
// a new subdirectory with ownership set to the remapped uid/gid (so as to allow
|
// a new subdirectory with ownership set to the remapped uid/gid (so as to allow
|
||||||
// `chdir()` to work for containers namespaced to that uid/gid)
|
// `chdir()` to work for containers namespaced to that uid/gid)
|
||||||
if config.RemappedRoot != "" {
|
if config.RemappedRoot != "" {
|
||||||
id := idtools.CurrentIdentity()
|
|
||||||
// First make sure the current root dir has the correct perms.
|
|
||||||
if err := idtools.MkdirAllAndChown(config.Root, 0701, id); err != nil {
|
|
||||||
return errors.Wrapf(err, "could not create or set daemon root permissions: %s", config.Root)
|
|
||||||
}
|
|
||||||
|
|
||||||
config.Root = filepath.Join(rootDir, fmt.Sprintf("%d.%d", remappedRoot.UID, remappedRoot.GID))
|
config.Root = filepath.Join(rootDir, fmt.Sprintf("%d.%d", remappedRoot.UID, remappedRoot.GID))
|
||||||
logrus.Debugf("Creating user namespaced daemon root: %s", config.Root)
|
logrus.Debugf("Creating user namespaced daemon root: %s", config.Root)
|
||||||
// Create the root directory if it doesn't exist
|
// Create the root directory if it doesn't exist
|
||||||
if err := idtools.MkdirAllAndChown(config.Root, 0701, id); err != nil {
|
if err := idtools.MkdirAllAndChown(config.Root, 0710, id); err != nil {
|
||||||
return fmt.Errorf("Cannot create daemon root: %s: %v", config.Root, err)
|
return fmt.Errorf("Cannot create daemon root: %s: %v", config.Root, err)
|
||||||
}
|
}
|
||||||
// we also need to verify that any pre-existing directories in the path to
|
// we also need to verify that any pre-existing directories in the path to
|
||||||
|
|
|
@ -130,14 +130,23 @@ func Init(root string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
|
||||||
}
|
}
|
||||||
|
|
||||||
currentID := idtools.CurrentIdentity()
|
currentID := idtools.CurrentIdentity()
|
||||||
|
_, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
dirID := idtools.Identity{
|
||||||
|
UID: currentID.UID,
|
||||||
|
GID: rootGID,
|
||||||
|
}
|
||||||
|
|
||||||
// Create the root aufs driver dir
|
// Create the root aufs driver dir
|
||||||
if err := idtools.MkdirAllAndChown(root, 0701, currentID); err != nil {
|
if err := idtools.MkdirAllAndChown(root, 0710, dirID); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Populate the dir structure
|
// Populate the dir structure
|
||||||
for _, p := range paths {
|
for _, p := range paths {
|
||||||
if err := idtools.MkdirAllAndChown(path.Join(root, p), 0701, currentID); err != nil {
|
if err := idtools.MkdirAllAndChown(path.Join(root, p), 0710, dirID); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -71,7 +71,14 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
|
||||||
return nil, graphdriver.ErrPrerequisites
|
return nil, graphdriver.ErrPrerequisites
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil {
|
remappedRoot := idtools.NewIDMappingsFromMaps(uidMaps, gidMaps)
|
||||||
|
currentID := idtools.CurrentIdentity()
|
||||||
|
dirID := idtools.Identity{
|
||||||
|
UID: currentID.UID,
|
||||||
|
GID: remappedRoot.RootPair().GID,
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -488,7 +495,14 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := idtools.MkdirAllAndChown(subvolumes, 0701, idtools.CurrentIdentity()); err != nil {
|
|
||||||
|
currentID := idtools.CurrentIdentity()
|
||||||
|
dirID := idtools.Identity{
|
||||||
|
UID: currentID.UID,
|
||||||
|
GID: rootGID,
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := idtools.MkdirAllAndChown(subvolumes, 0710, dirID); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if parent == "" {
|
if parent == "" {
|
||||||
|
|
|
@ -88,7 +88,17 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
|
||||||
return nil, graphdriver.ErrNotSupported
|
return nil, graphdriver.ErrNotSupported
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 0701, idtools.CurrentIdentity()); err != nil {
|
remappedRoot := idtools.NewIDMappingsFromMaps(uidMaps, gidMaps)
|
||||||
|
currentID := idtools.CurrentIdentity()
|
||||||
|
dirID := idtools.Identity{
|
||||||
|
UID: currentID.UID,
|
||||||
|
GID: remappedRoot.RootPair().GID,
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 700, currentID); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -173,11 +183,15 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr
|
||||||
}
|
}
|
||||||
root := idtools.Identity{UID: rootUID, GID: rootGID}
|
root := idtools.Identity{UID: rootUID, GID: rootGID}
|
||||||
|
|
||||||
currentID := idtools.CurrentIdentity()
|
dirID := idtools.Identity{
|
||||||
if err := idtools.MkdirAllAndChown(path.Dir(dir), 0701, currentID); err != nil {
|
UID: rootUID,
|
||||||
|
GID: rootGID,
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := idtools.MkdirAllAndChown(path.Dir(dir), 0710, dirID); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := idtools.MkdirAndChown(dir, 0701, currentID); err != nil {
|
if err := idtools.MkdirAndChown(dir, 0710, dirID); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -211,7 +225,7 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := idtools.MkdirAndChown(path.Join(dir, workDirName), 0701, currentID); err != nil {
|
if err := idtools.MkdirAndChown(path.Join(dir, workDirName), 0710, dirID); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -156,11 +156,20 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
|
||||||
logrus.WithField("storage-driver", "overlay").Warn(overlayutils.ErrDTypeNotSupported("overlay", backingFs))
|
logrus.WithField("storage-driver", "overlay").Warn(overlayutils.ErrDTypeNotSupported("overlay", backingFs))
|
||||||
}
|
}
|
||||||
|
|
||||||
// Create the driver home dir
|
currentID := idtools.CurrentIdentity()
|
||||||
if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil {
|
_, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
|
||||||
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
dirID := idtools.Identity{
|
||||||
|
UID: currentID.UID,
|
||||||
|
GID: rootGID,
|
||||||
|
}
|
||||||
|
|
||||||
|
// Create the driver home dir
|
||||||
|
if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
d := &Driver{
|
d := &Driver{
|
||||||
home: home,
|
home: home,
|
||||||
uidMaps: uidMaps,
|
uidMaps: uidMaps,
|
||||||
|
@ -262,10 +271,11 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) (retErr
|
||||||
root := idtools.Identity{UID: rootUID, GID: rootGID}
|
root := idtools.Identity{UID: rootUID, GID: rootGID}
|
||||||
|
|
||||||
currentID := idtools.CurrentIdentity()
|
currentID := idtools.CurrentIdentity()
|
||||||
if err := idtools.MkdirAllAndChown(path.Dir(dir), 0701, currentID); err != nil {
|
dirID := idtools.Identity{
|
||||||
return err
|
UID: currentID.UID,
|
||||||
|
GID: rootGID,
|
||||||
}
|
}
|
||||||
if err := idtools.MkdirAndChown(dir, 0701, currentID); err != nil {
|
if err := idtools.MkdirAndChown(dir, 0710, dirID); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -165,7 +165,20 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
|
||||||
logger.Warn(overlayutils.ErrDTypeNotSupported("overlay2", backingFs))
|
logger.Warn(overlayutils.ErrDTypeNotSupported("overlay2", backingFs))
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 0701, idtools.CurrentIdentity()); err != nil {
|
_, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
cur := idtools.CurrentIdentity()
|
||||||
|
dirID := idtools.Identity{
|
||||||
|
UID: cur.UID,
|
||||||
|
GID: rootGID,
|
||||||
|
}
|
||||||
|
if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 0700, cur); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -344,12 +357,15 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
root := idtools.Identity{UID: rootUID, GID: rootGID}
|
root := idtools.Identity{UID: rootUID, GID: rootGID}
|
||||||
current := idtools.CurrentIdentity()
|
dirID := idtools.Identity{
|
||||||
|
UID: idtools.CurrentIdentity().UID,
|
||||||
|
GID: rootGID,
|
||||||
|
}
|
||||||
|
|
||||||
if err := idtools.MkdirAllAndChown(path.Dir(dir), 0701, current); err != nil {
|
if err := idtools.MkdirAllAndChown(path.Dir(dir), 0710, dirID); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := idtools.MkdirAndChown(dir, 0701, current); err != nil {
|
if err := idtools.MkdirAndChown(dir, 0710, dirID); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -37,8 +37,16 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
|
||||||
if err := d.parseOptions(options); err != nil {
|
if err := d.parseOptions(options); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
_, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil {
|
dirID := idtools.Identity{
|
||||||
|
UID: idtools.CurrentIdentity().UID,
|
||||||
|
GID: rootGID,
|
||||||
|
}
|
||||||
|
if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -140,7 +148,12 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error {
|
||||||
func (d *Driver) create(id, parent string, size uint64) error {
|
func (d *Driver) create(id, parent string, size uint64) error {
|
||||||
dir := d.dir(id)
|
dir := d.dir(id)
|
||||||
rootIDs := d.idMapping.RootPair()
|
rootIDs := d.idMapping.RootPair()
|
||||||
if err := idtools.MkdirAllAndChown(filepath.Dir(dir), 0701, idtools.CurrentIdentity()); err != nil {
|
|
||||||
|
dirID := idtools.Identity{
|
||||||
|
UID: idtools.CurrentIdentity().UID,
|
||||||
|
GID: rootIDs.GID,
|
||||||
|
}
|
||||||
|
if err := idtools.MkdirAllAndChown(filepath.Dir(dir), 0710, dirID); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := idtools.MkdirAndChown(dir, 0755, rootIDs); err != nil {
|
if err := idtools.MkdirAndChown(dir, 0755, rootIDs); err != nil {
|
||||||
|
|
|
@ -105,7 +105,16 @@ func Init(base string, opt []string, uidMaps, gidMaps []idtools.IDMap) (graphdri
|
||||||
return nil, fmt.Errorf("BUG: zfs get all -t filesystem -rHp '%s' should contain '%s'", options.fsName, options.fsName)
|
return nil, fmt.Errorf("BUG: zfs get all -t filesystem -rHp '%s' should contain '%s'", options.fsName, options.fsName)
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := idtools.MkdirAllAndChown(base, 0701, idtools.CurrentIdentity()); err != nil {
|
_, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
dirID := idtools.Identity{
|
||||||
|
UID: idtools.CurrentIdentity().UID,
|
||||||
|
GID: rootGID,
|
||||||
|
}
|
||||||
|
if err := idtools.MkdirAllAndChown(base, 0710, dirID); err != nil {
|
||||||
return nil, fmt.Errorf("Failed to create '%s': %v", base, err)
|
return nil, fmt.Errorf("Failed to create '%s': %v", base, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue