Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

TOB-K8S-004: Pervasive world-accessible file permissions #81116

New issue
Copy link
New issue
Copy link
Open
Open
TOB-K8S-004: Pervasive world-accessible file permissions#81116
Copy link
Assignees
cailyn-codesDeeptanshuDas
Labels
area/securitygood first issueDenotes an issue ready for a new contributor, according to the "help wanted" guidelines.Denotes an issue ready for a new contributor, according to the "help wanted" guidelines.help wantedDenotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.kind/bugCategorizes issue or PR as related to a bug.Categorizes issue or PR as related to a bug.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.Indicates that an issue or PR should not be auto-closed due to staleness.priority/important-longtermImportant over the long term, but may not be staffed and/or may need multiple releases to complete.Important over the long term, but may not be staffed and/or may need multiple releases to complete.sig/nodeCategorizes an issue or PR as relevant to SIG Node.Categorizes an issue or PR as relevant to SIG Node.sig/storageCategorizes an issue or PR as relevant to SIG Storage.Categorizes an issue or PR as relevant to SIG Storage.triage/acceptedIndicates an issue or PR is ready to be actively worked on.Indicates an issue or PR is ready to be actively worked on.wg/security-auditCategorizes an issue or PR as relevant to WG Security Audit.Categorizes an issue or PR as relevant to WG Security Audit.
@cji

Description

@cji
cji
opened on Aug 8, 2019
Issue body actions

This issue was reported in the Kubernetes Security Audit Report

Description
Kubernetes uses files and directories to store information ranging from key-value data to certificate data to logs. However, a number of locations have world-writable directories:

cluster/images/etcd/migrate/rollback_v2.go:110:	if err :=
os.MkdirAll(path.Join(migrateDatadir, "member", "snap"), 0777); err != nil {
cluster/images/etcd/migrate/data_dir.go:49:		err := os.MkdirAll(path, 0777)
cluster/images/etcd/migrate/data_dir.go:87:	err = os.MkdirAll(backupDir, 0777)
third_party/forked/godep/save.go:472:	err := os.MkdirAll(filepath.Dir(dst), 0777)
third_party/forked/godep/save.go:585:	err := os.MkdirAll(filepath.Dir(name), 0777)
pkg/volume/azure_file/azure_util.go:34:	defaultFileMode = "0777"
pkg/volume/azure_file/azure_util.go:35:	defaultDirMode  = "0777"
pkg/volume/emptydir/empty_dir.go:41:const perm os.FileMode = 0777

Figure 7.1: World-writable (0777) directories and defaults

Other areas of the system use world-writable files as well:

cluster/images/etcd/migrate/data_dir.go:147:	return ioutil.WriteFile(v.path, data, 0666)
cluster/images/etcd/migrate/migrator.go:120:	err := os.Mkdir(backupDir, 0666)
third_party/forked/godep/save.go:589:	return ioutil.WriteFile(name, []byte(body), 0666)
pkg/kubelet/kuberuntime/kuberuntime_container.go:306:			if err := m.osInterface.Chmod(containerLogPath, 0666); err != nil {
pkg/volume/cinder/cinder_util.go:271:			ioutil.WriteFile(name, data, 0666)
pkg/volume/fc/fc_util.go:118:	io.WriteFile(fileName, data, 0666)
pkg/volume/fc/fc_util.go:128:			io.WriteFile(name, data, 0666)
pkg/volume/azure_dd/azure_common_linux.go:77:			if err = io.WriteFile(name, data, 0666); err != nil {
pkg/volume/photon_pd/photon_util.go:55:	ioutil.WriteFile(fileName, data, 0666)
pkg/volume/photon_pd/photon_util.go:65:			ioutil.WriteFile(name, data, 0666)

Figure 7.2: World-writable (0666) files

A number of locations in the code base also rely on world-readable directories and files. For example, Certificate Signing Requests (CSRs) are written to a directory with mode 0755 (world readable and browseable) with the actual CSR having mode 0644 (world-readable):

// WriteCSR writes the pem-encoded CSR data to csrPath.
// The CSR file will be created with file mode 0644.
// If the CSR file already exists, it will be overwritten.
// The parent directory of the csrPath will be created as needed with file mode 0755.
func WriteCSR(csrDir, name string, csr *x509.CertificateRequest) error {
    ... 
    if err := os.MkdirAll(filepath.Dir(csrPath), os.FileMode(0755)); err != nil {
        ...
    }   

    if err := ioutil.WriteFile(csrPath, EncodeCSRPEM(csr), os.FileMode(0644)); err != nil {
       ... 
    }   
    ...
}

Figure 7.3: Documentation and code from cmd/kubeadm/app/util/pkiutil/pki_helpers.go

Exploit Scenario
Alice wishes to migrate some etcd values during normal cluster maintenance. Eve has local access to the cluster’s filesystem, and modifies the values stored during the migration process, granting Eve further access to the cluster as a whole.

Recommendation
Short term, audit all locations that use world-accessible permissions. Revoke those that are unnecessary. Very few files truly need to be readable by any user on a system. Almost none should need to allow arbitrary system users write access.

Long term, use system groups and extended Access Control Lists (ACLs) to ensure that all files and directories created by Kuberenetes are accessible by only those users and groups that should be able to access them. This will ensure that only the appropriate users with the correct Unix-level groups may access data. Kubernetes may describe what these groups should be, or create a role-based system to which administrators may assign users and groups.

Anything else we need to know?:

See #81146 for current status of all issues created from these findings.

The vendor gave this issue an ID of TOB-K8S-004 and it was finding 8 of the report.

The vendor considers this issue Medium Severity.

To view the original finding, begin on page 32 of the Kubernetes Security Review Report

Environment:

  • Kubernetes version: 1.13.4

Metadata

Metadata

Assignees

Labels

area/securitygood first issueDenotes an issue ready for a new contributor, according to the "help wanted" guidelines.Denotes an issue ready for a new contributor, according to the "help wanted" guidelines.help wantedDenotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.kind/bugCategorizes issue or PR as related to a bug.Categorizes issue or PR as related to a bug.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.Indicates that an issue or PR should not be auto-closed due to staleness.priority/important-longtermImportant over the long term, but may not be staffed and/or may need multiple releases to complete.Important over the long term, but may not be staffed and/or may need multiple releases to complete.sig/nodeCategorizes an issue or PR as relevant to SIG Node.Categorizes an issue or PR as relevant to SIG Node.sig/storageCategorizes an issue or PR as relevant to SIG Storage.Categorizes an issue or PR as relevant to SIG Storage.triage/acceptedIndicates an issue or PR is ready to be actively worked on.Indicates an issue or PR is ready to be actively worked on.wg/security-auditCategorizes an issue or PR as relevant to WG Security Audit.Categorizes an issue or PR as relevant to WG Security Audit.

Type

No type

Projects

SIG Node Bugs

Status

Triaged
Show more project fields

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    Morty Proxy This is a proxified and sanitized view of the page, visit original site.