-
Notifications
You must be signed in to change notification settings - Fork 541
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
config: base GID must be present in the supplementary GIDs array #1168
Open
neersighted
wants to merge
2
commits into
opencontainers:main
Choose a base branch
from
neersighted:supplemental_gids_include_egid
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
config: base GID must be present in the supplementary GIDs array #1168
neersighted
wants to merge
2
commits into
opencontainers:main
from
neersighted:supplemental_gids_include_egid
+39
−4
Commits on Dec 16, 2022
-
config: base GID must be present in the supplementary GIDs array
Currently, the spec is unclear whether the list of [supplementary GIDs][POSIX-sgids-def] used to create a container process should include the 'base' GID implicitly, or whether the config needs to specify this explicitly if desired. While [per POSIX][POSIX-sgids-rat] it is permissible for a system to include or exclude the base GID from the list of supplementary GIDs, in all Runtime Spec platforms the base GID is always added, and omitting it can have [real security consequences][benthams-gaze] as fully dropping a group is not typically allowed in Unix. This recently led to a number of CVEs in OCI Runtime Spec implementations, as it was concluded that it is necessary for a Unix container to always include the base GID in the list of supplementary GIDs, as originally established by 4.4BSD. Some of the CVEs include: * [Podman (CVE-2022-2989)][CVE-2022-2989] * [Moby (CVE-2022-36109)][CVE-2022-36109] * [Buildah (CVE-2022-2990)][CVE-2022-2990] * [CRI-O (CVE-2022-2995)][CVE-2022-2995] Some examples of how existing implementations handle this: * util-linux [calls][util-linux] [initgroups(3)][initgroups.3-linux] with the user's primary GID. * shadowutils (Linux) [calls][shadowutils] [initgroups(3)][initgroups.3-linux] with the user's primary GID. * FreeBSD [calls][freebsd-setusercontext] [initgroups(3)][initgroups.3-freebsd] with the user's GID from the password file (aka the primary GID). * Solaris [calls][solaris-setup_credentials] [initgroups(3)][initgroups.3-solaris] with the user's primary GID. * Z/OS's session creation code is not available; however [initgroups(3)][initgroups.3-zos] specifies a convention of including including the real group ID from the user database (aka the primary GID). * OpenSSH [calls][openssh] initgroups(3) with the user's primary GID; on all of the above platforms this will have the same result as a login(1), including the primary GID in the list of supplementary GIDs. While login(1) has generally been used as the example above, the same holds true for su(1) and other methods of starting a new session (including OpenSSH, as explained above). Given this seems clearly desirable and the OCI runtime is effectively the equivalent of login(1)/su(1)/any other program that sets up a new session, the OCI runtime is the best place to ensure that the list of supplementary group IDs contains the base GID. [POSIX-sgids-def]: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_378 [POSIX-sgids-rat]: https://pubs.opengroup.org/onlinepubs/9699919799/xrat/V4_xbd_chap03.html#tag_21_03_00_73 [CVE-2022-2989]: https://access.redhat.com/security/cve/cve-2022-2989 [CVE-2022-36109]: GHSA-rc4r-wh2q-q6c4 [CVE-2022-2990]: https://access.redhat.com/security/cve/cve-2022-2990 [CVE-2022-2995]: https://access.redhat.com/security/cve/cve-2022-2995 [benthams-gaze]: https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/ [util-linux]: https://github.com/util-linux/util-linux/blob/96ccdc00e1fcf1684f9734a189baf90e00ff0c9a/login-utils/login.c#L1443 [shadowutils]: https://github.com/shadow-maint/shadow/blob/eaebea55a495a56317ed85e959b3599f73c6bdf2/libmisc/setugid.c#L55 [freebsd-setusercontext]: https://github.com/freebsd/freebsd-src/blob/eeaf9d562fe137e0c52b8c346742dccfc8bde015/lib/libutil/login_class.c#L486 [solaris-setup_credentials]: https://github.com/illumos/illumos-gate/blob/d9c3e05c2d8261e3f133b5e96a300b4fa6c0f1b7/usr/src/cmd/login/login.c#L1926 [openssh]: https://github.com/openssh/openssh-portable/blob/25bd659cc72268f2858c5415740c442ee950049f/session.c#L1379 [initgroups.3-linux]: https://man7.org/linux/man-pages/man3/initgroups.3.html [initgroups.3-freebsd]: https://www.freebsd.org/cgi/man.cgi?initgroups(3) [initgroups.3-solaris]: https://illumos.org/man/3C/initgroups [initgroups.3-zos]: https://www.ibm.com/docs/en/zos/2.2.0?topic=functions-initgroups-initialize-supplementary-group-id-list-process Signed-off-by: Bjorn Neergaard <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for d143e99 - Browse repository at this point
Copy the full SHA d143e99View commit details
Commits on Mar 29, 2023
-
amend! config: base GID must be present in the supplementary GIDs array
Currently, the spec is unclear whether the list of supplementary GIDs[1] used to create a container process should include the 'base' GID implicitly, or whether the config needs to specify this explicitly if desired. While per POSIX[2] it is permissible for a system to include or exclude the base GID from the list of supplementary GIDs, in all Runtime Spec platforms the base GID is always added, and omitting it can have real security consequences[3] as fully dropping a group is not typically allowed in Unix. This recently led to a number of CVEs in OCI Runtime Spec implementations, as it was concluded that it is necessary for a Unix container to always include the base GID in the list of supplementary GIDs, as originally established by 4.4BSD. Some of the CVEs include: * Podman (CVE-2022-2989) * Moby (CVE-2022-36109) * Buildah (CVE-2022-2990) * CRI-O (CVE-2022-2995) Some examples of how existing implementations handle this: * util-linux calls initgroups(3) with the user's primary GID. [4,5] * shadowutils (Linux) calls initgroups(3) with the user's primary GID. [5,6] * FreeBSD calls initgroups(3) with the user's GID from the password file (aka the primary GID). [7,8] * Solaris calls initgroups(3) with the user's primary GID. [9,10] * Z/OS's session creation code is not available; however initgroups(3) specifies a convention of including the real group ID from the user database (aka the primary GID). [11] * OpenSSH[12] calls initgroups(3) with the user's primary GID; on all of the above platforms this will have the same result as a login(1), including the primary GID in the list of supplementary GIDs. While login(1) has generally been used as the example above, the same holds true for su(1) and other methods of starting a new session (including OpenSSH, as explained above). Given this seems clearly desirable and the OCI runtime is effectively the equivalent of login(1)/su(1)/any other program that sets up a new session, the OCI runtime is the best place to ensure that the list of supplementary group IDs contains the base GID. [1]: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_378 [2]: https://pubs.opengroup.org/onlinepubs/9699919799/xrat/V4_xbd_chap03.html#tag_21_03_00_73 [3]: https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/ [4]: https://github.com/util-linux/util-linux/blob/96ccdc00e1fcf1684f9734a189baf90e00ff0c9a/login-utils/login.c#L1443 [5]: https://man7.org/linux/man-pages/man3/initgroups.3.html [6]: https://github.com/shadow-maint/shadow/blob/eaebea55a495a56317ed85e959b3599f73c6bdf2/libmisc/setugid.c#L55 [7]: https://github.com/freebsd/freebsd-src/blob/eeaf9d562fe137e0c52b8c346742dccfc8bde015/lib/libutil/login_class.c#L486 [8]: https://www.freebsd.org/cgi/man.cgi?initgroups(3) [9]: https://github.com/illumos/illumos-gate/blob/d9c3e05c2d8261e3f133b5e96a300b4fa6c0f1b7/usr/src/cmd/login/login.c#L1926 [10]: https://illumos.org/man/3C/initgroups [11]: https://www.ibm.com/docs/en/zos/2.2.0?topic=functions-initgroups-initialize-supplementary-group-id-list-process [12]: https://github.com/openssh/openssh-portable/blob/25bd659cc72268f2858c5415740c442ee950049f/session.c#L1379 [CVE-2022-2989]: https://access.redhat.com/security/cve/cve-2022-2989 [CVE-2022-36109]: GHSA-rc4r-wh2q-q6c4 [CVE-2022-2990]: https://access.redhat.com/security/cve/cve-2022-2990 [CVE-2022-2995]: https://access.redhat.com/security/cve/cve-2022-2995 Signed-off-by: Bjorn Neergaard <[email protected]> Co-authored-by: Cory Snider <[email protected]> Signed-off-by: Cory Snider <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2d3f86c - Browse repository at this point
Copy the full SHA 2d3f86cView commit details
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.