New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TOB-K8S-004: Pervasive world-accessible file permissions #81116
Comments
the kubeadm parts of this finding are tracked at: |
/remove-kind feature |
/sig storage |
/priority important-longterm
I’m most familiar with the emptydir one (which also applies to secrets and CMs) and that one might be tricky to fix without breaking existing workloads. Tricky or not, it would be nice if we could excise these from the code for 2 reasons: an extra layer of security (defense in depth), and not showing false positive red flags on audits. On the first point, an extra layer of security via more restrictive DACs may make an attack more difficult when an attacker has broken through one control and is looking to parlay that access into something more. Regarding the second point, when cluster operators do security audits (either with automated tools or manual audits), these will turn up as red flags (even if relatively harmless) and will be annoying for auditors and auditees alike since they’ll have to justify their existence or fail the audit, etc. |
I want to point out somewhere here also that it is normal (and secure!) Unix practice to (eg) create a regular file with 0644 and then rely on the inherited external I appreciate that kubelet/containers are a special case here because we're often running in a context with uid=0 and an unclear/incomplete parent process hierarchy. I sort of feel it's incorrect to attempt to anticipate the desired permissions policy within regular tools (eg: etcd migration) however, and an automated report that highlights these examples in the code without mentioning the interaction with |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
the kubeadm parts are resolved kubernetes/kubeadm#1716 |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/lifecycle frozen |
Group read permissions might be useful to keep? It allows potential integration to be given read access by adding it to a group. (Especially for log files, where the option to run a collector as a non-root user is useful) |
Currently, kubelet creates a world-readable and world-writeable empty files in `/var/lib/kubelet/pods/{podUID}/containers/busysleep/{containerId}`. These are meant to be written by the process in containers when container is terminated. Originally, this file was created with `0644`, then despite security concerns, it was changed to `0666` in kubernetes#31839. This was completed to allow containers running as non-root to write termination messages. Later on, in 2019 this has been highlighted as a security vulnerability in Kubernetes Security Audir Report in kubernetes#81116. This commit changes termination log file mode to `0660` which is best of both worlds - it removes world-writeable file, yet still allows the container's user to write the termination message.
Any updates regarding this? |
/assign |
@QiWang19 - Are there any updates on this? |
Hello @matthyx - I'm going to start working on this one file at a time, would you be up for pairing with me on the first one or two? Specifically I'd like to chat about the blockers that impacted the last PR! I've opened a draft PR here for one of the less risky ones. |
@cailynse sure let me have a look... |
Hey @cailynse Is this issue still available to work on? |
Hello @ShivamTyagi12345! I am waiting on approval for the first PR and then was going to open the next. But you are welcome to get started on any of the subsequent ones if you would like. You can also find a bunch of issues that still need contributors here in the blog post summarizing the 2019 Third Party Security Audit. |
/assign |
@DeeptanshuDas i closed your PR as the kubeadm parts are already fixed, you can send PRs for other areas that need fixes, though. |
@neolit123 I'd like to contribute to start out with a first issue. Does it make sense for me to change these to 0644 and assign myself?
kubernetes/pkg/volume/fc/fc_util.go Line 130 in 55f2bc1
kubernetes/pkg/volume/fc/fc_util.go Line 140 in 55f2bc1
|
you can try sending a PR. unclear whether the maintainers will accept it. |
These permissions issues cause worker nodes hosting pods to fail Federal IT Security scans for world writeable files. At NIST we are required to adhere to all of the FIMSA and SP 800-53 controls. This FAILS. Why can't the system simply honor the umask of the user or system as set by the organization's IT security policies? Hard coding world write permissions is an absolute worst practice. What is the justification? This deserves its own CVE. |
I'm confused here too. Afaics the The original bug - and some of the later comments and proposals - are phrased as if umask doesn't exist. Umask does exist 😅, and controlling permissions in the code itself (ie: pretending umask is 0) is incorrect / wrong / not common unix practice.
Great example - it's not a CVE because these are not what controls the final file permissions. If |
The permissions are not usable at least - the directories along the way tends to be limited enough that the files can't be accessed. (but they do mess with security audits) |
The io.WriteFile method appears to be deprecated? Also the documentation says the file permissions are before umask. It isn't clear if umask is applied or not. |
I'm reading "before umask" as implying that umask will be applied... io.WriteFile calls os.WriteFile, which calls os.OpenFile, which calls openFileNolog. That seems to eventually call the OS's open() syscall, which applies the umask... |
This issue was reported in the Kubernetes Security Audit Report
Description
Kubernetes uses files and directories to store information ranging from key-value data to certificate data to logs. However, a number of locations have world-writable directories:
Figure 7.1: World-writable (0777) directories and defaults
Other areas of the system use world-writable files as well:
Figure 7.2: World-writable (0666) files
A number of locations in the code base also rely on world-readable directories and files. For example, Certificate Signing Requests (CSRs) are written to a directory with mode 0755 (world readable and browseable) with the actual CSR having mode 0644 (world-readable):
Figure 7.3: Documentation and code from cmd/kubeadm/app/util/pkiutil/pki_helpers.go
Exploit Scenario
Alice wishes to migrate some etcd values during normal cluster maintenance. Eve has local access to the cluster’s filesystem, and modifies the values stored during the migration process, granting Eve further access to the cluster as a whole.
Recommendation
Short term, audit all locations that use world-accessible permissions. Revoke those that are unnecessary. Very few files truly need to be readable by any user on a system. Almost none should need to allow arbitrary system users write access.
Long term, use system groups and extended Access Control Lists (ACLs) to ensure that all files and directories created by Kuberenetes are accessible by only those users and groups that should be able to access them. This will ensure that only the appropriate users with the correct Unix-level groups may access data. Kubernetes may describe what these groups should be, or create a role-based system to which administrators may assign users and groups.
Anything else we need to know?:
See #81146 for current status of all issues created from these findings.
The vendor gave this issue an ID of TOB-K8S-004 and it was finding 8 of the report.
The vendor considers this issue Medium Severity.
To view the original finding, begin on page 32 of the Kubernetes Security Review Report
Environment:
The text was updated successfully, but these errors were encountered: