What am I doing wrong that gives me this enormous vulnerability (mounting a host volume)?

avfilter · February 27, 2019, 11:25pm

Hello dear fellow docs,

I must be doing something hideously wrong in my docker setup if I’m to have the following huge vulnerability. Can one of the more knowledgeable ones among you please take a look and offer some advice?

I created a c++ compile/run sandbox using ubuntu:xenial bundled with the minimal c++ dev packages.

I mount a local volume within this sandbox and run an interactive shell.

In this shell, I create a binary that chmods itself to 4755 and then execs the rest of the command line (like exec).

When I exit the container, I return to my host directory where I find this program owned by root, with setuid root, able to run any command of my choosing as root.

Is this vulnerability overcome by restrictions I haven’t built into my image?

I’m running docker in one of its most common configurations on a generic AWS mini instance.

&

46 {aws-024}setuid-expt: ls -la
total 12
drwxr-xr-x 2 anand anand 4096 Feb 27 23:11 ./
drwxr-xr-x 7 anand anand 4096 Feb 27 23:04 ../
-rw-r--r-- 1 anand anand  296 Feb 27 23:11 ssu.cpp

47 {aws-024}setuid-expt: cat ssu.cpp
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>

int main(int argc, char **argv) {
  chmod(argv[0], 04555); // setuid
  if (argc == 1) return 0;

  char **av = new char *[argc];

  for (int i = 1; i < argc; i++)
    av[i-1] = argv[i];
  av[argc-1] = NULL;
  
  execv(av[0], av);
}

48 {aws-024}setuid-expt: docker run -v `pwd`:/expt -it sandbox-cpp

root@ae1c66638f64:/sandbox# cd /expt

root@ae1c66638f64:/expt# ls -la
total 12
drwxr-xr-x 2  501  501 4096 Feb 27 23:11 .
drwxr-xr-x 1 root root 4096 Feb 27 23:12 ..
-rw-r--r-- 1  501  501  296 Feb 27 23:11 ssu.cpp

root@ae1c66638f64:/expt# make ssu
g++     ssu.cpp   -o ssu

root@ae1c66638f64:/expt# ./ssu /bin/echo hi there
hi there

root@ae1c66638f64:/expt# exit
exit

49 {aws-024}setuid-expt: ls -la
total 24
drwxr-xr-x 2 anand anand 4096 Feb 27 23:12 ./
drwxr-xr-x 7 anand anand 4096 Feb 27 23:04 ../
-r-sr-xr-x 1 root  root  8696 Feb 27 23:12 ssu*
-rw-r--r-- 1 anand anand  296 Feb 27 23:11 ssu.cpp

50 {aws-024}setuid-expt: ./ssu /bin/touch test

51 {aws-024}setuid-expt: ls -la
total 24
drwxr-xr-x 2 anand anand 4096 Feb 27 23:12 ./
drwxr-xr-x 7 anand anand 4096 Feb 27 23:04 ../
-r-sr-xr-x 1 root  root  8696 Feb 27 23:12 ssu*
-rw-r--r-- 1 anand anand  296 Feb 27 23:11 ssu.cpp
-rw-r--r-- 1 root  anand    0 Feb 27 23:12 test

52 {aws-024}setuid-expt: