Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What user does the container run as? Also is the filesystem read only? #176

Closed
AceHack opened this issue Jul 7, 2020 · 4 comments
Closed

What user does the container run as? Also is the filesystem read only? #176

AceHack opened this issue Jul 7, 2020 · 4 comments
Labels
lifecycle/stale

Comments

@AceHack
Copy link

AceHack commented Jul 7, 2020

One other question what capabilities are allowed?

https://man7.org/linux/man-pages/man7/capabilities.7.html
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation
@jonjohnsonjr
Copy link
Collaborator

jonjohnsonjr commented Jul 7, 2020
edited
Loading

This should be inherited from the base image.

We're planning to switch over to a non-root user by default in the future, but haven't done so yet because it may be a breaking change: #160

@AceHack
Copy link
Author

AceHack commented Aug 27, 2020

I'm sorry what is inherited? A read only file system?

@jonjohnsonjr
Copy link
Collaborator

Apologies for not responding for so long, this got buried under a lot of other github spam.

The base image's config file is used for everything except for static kodata and the compiled binary. By default, we (now) use gcr.io/distroless/static:nonroot as the base, which has a non-root user:

$ crane config gcr.io/distroless/static:nonroot | jq .
{
  "architecture": "amd64",
  "author": "Bazel",
  "created": "1970-01-01T00:00:00Z",
  "history": [
    {
      "author": "Bazel",
      "created": "1970-01-01T00:00:00Z",
      "created_by": "bazel build ..."
    }
  ],
  "os": "linux",
  "rootfs": {
    "type": "layers",
    "diff_ids": [
      "sha256:7a5b9c0b4b140d0379ef710a07c3ecf963685b5236e3d0977b1aa96f209f7c5e"
    ]
  },
  "config": {
    "Env": [
      "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
      "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"
    ],
    "User": "65532",
    "WorkingDir": "/home/nonroot"
  }
}

$ crane export gcr.io/distroless/static:nonroot - | tar -Oxf - ./etc/passwd
root:x:0:0:root:/root:/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/sbin/nologin
nonroot:x:65532:65532:nonroot:/home/nonroot:/sbin/nologin

The filesystem is largely timezone info, but this is the rest:

$ crane export gcr.io/distroless/static:nonroot - | tar -tvf - | grep -v zoneinfo
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./etc/
-rw-r--r-- 0/0             149 1969-12-31 16:00 ./etc/passwd
drwx------ 0/0               0 1969-12-31 16:00 ./root/
drwxr-xr-x 65532/65532       0 1969-12-31 16:00 ./home/
drwx------ 65532/65532       0 1969-12-31 16:00 ./home/nonroot/
-rw-r--r-- 0/0              64 1969-12-31 16:00 ./etc/group
drwxrwxrwt 0/0               0 1969-12-31 16:00 ./tmp/
-rw-r--r-- 0/0             497 1969-12-31 16:00 ./etc/nsswitch.conf
-rw-r--r-- 0/0             343 1969-12-31 16:00 ./etc/os-release
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./etc/ssl/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./etc/ssl/certs/
-rw-r--r-- 0/0          198416 1969-12-31 16:00 ./etc/ssl/certs/ca-certificates.crt
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./usr/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./usr/share/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./usr/share/doc/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./usr/share/doc/ca-certificates/
-rw-r--r-- 0/0           18940 1969-12-31 16:00 ./usr/share/doc/ca-certificates/copyright
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./var/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./var/lib/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./var/lib/dpkg/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./var/lib/dpkg/status.d/
-rw-r--r-- 0/0             677 1969-12-31 16:00 ./var/lib/dpkg/status.d/base
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./bin/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./boot/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./dev/
-rw-r--r-- 0/0               5 1969-12-31 16:00 ./etc/debian_version
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./etc/default/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./etc/dpkg/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./etc/dpkg/origins/
-rw-r--r-- 0/0              82 1969-12-31 16:00 ./etc/dpkg/origins/debian
-rw-r--r-- 0/0               9 1969-12-31 16:00 ./etc/host.conf
-rw-r--r-- 0/0              26 1969-12-31 16:00 ./etc/issue
-rw-r--r-- 0/0              19 1969-12-31 16:00 ./etc/issue.net
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./etc/profile.d/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./etc/skel/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./etc/update-motd.d/
-rwxr-xr-x 0/0              23 1969-12-31 16:00 ./etc/update-motd.d/10-uname
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./lib/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./proc/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./run/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./sbin/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./sys/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./usr/bin/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./usr/games/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./usr/include/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./usr/lib/
-rw-r--r-- 0/0             261 1969-12-31 16:00 ./usr/lib/os-release
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./usr/sbin/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./usr/share/base-files/
-rw-r--r-- 0/0             570 1969-12-31 16:00 ./usr/share/base-files/dot.bashrc
-rw-r--r-- 0/0             148 1969-12-31 16:00 ./usr/share/base-files/dot.profile
-rw-r--r-- 0/0              72 1969-12-31 16:00 ./usr/share/base-files/dot.profile.md5sums
-rw-r--r-- 0/0             781 1969-12-31 16:00 ./usr/share/base-files/info.dir
-rw-r--r-- 0/0             286 1969-12-31 16:00 ./usr/share/base-files/motd
-rw-r--r-- 0/0             767 1969-12-31 16:00 ./usr/share/base-files/profile
-rw-r--r-- 0/0             607 1969-12-31 16:00 ./usr/share/base-files/profile.md5sums
-rw-r--r-- 0/0             771 1969-12-31 16:00 ./usr/share/base-files/staff-group-for-usr-local
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./usr/share/common-licenses/
-rw-r--r-- 0/0           11358 1969-12-31 16:00 ./usr/share/common-licenses/Apache-2.0
-rw-r--r-- 0/0            6111 1969-12-31 16:00 ./usr/share/common-licenses/Artistic
-rw-r--r-- 0/0            1499 1969-12-31 16:00 ./usr/share/common-licenses/BSD
-rw-r--r-- 0/0           20431 1969-12-31 16:00 ./usr/share/common-licenses/GFDL-1.2
-rw-r--r-- 0/0           22962 1969-12-31 16:00 ./usr/share/common-licenses/GFDL-1.3
-rw-r--r-- 0/0           12632 1969-12-31 16:00 ./usr/share/common-licenses/GPL-1
-rw-r--r-- 0/0           18092 1969-12-31 16:00 ./usr/share/common-licenses/GPL-2
-rw-r--r-- 0/0           35147 1969-12-31 16:00 ./usr/share/common-licenses/GPL-3
-rw-r--r-- 0/0           25383 1969-12-31 16:00 ./usr/share/common-licenses/LGPL-2
-rw-r--r-- 0/0           26530 1969-12-31 16:00 ./usr/share/common-licenses/LGPL-2.1
-rw-r--r-- 0/0            7651 1969-12-31 16:00 ./usr/share/common-licenses/LGPL-3
-rw-r--r-- 0/0           25755 1969-12-31 16:00 ./usr/share/common-licenses/MPL-1.1
-rw-r--r-- 0/0           16726 1969-12-31 16:00 ./usr/share/common-licenses/MPL-2.0
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./usr/share/dict/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./usr/share/doc/base-files/
-rw-r--r-- 0/0            4678 1969-12-31 16:00 ./usr/share/doc/base-files/README
-rw-r--r-- 0/0            1153 1969-12-31 16:00 ./usr/share/doc/base-files/README.FHS
-rw-r--r-- 0/0           16905 1969-12-31 16:00 ./usr/share/doc/base-files/changelog.gz
-rw-r--r-- 0/0            1228 1969-12-31 16:00 ./usr/share/doc/base-files/copyright
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./usr/share/info/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./usr/share/lintian/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./usr/share/lintian/overrides/
-rw-r--r-- 0/0             985 1969-12-31 16:00 ./usr/share/lintian/overrides/base-files
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./usr/share/man/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./usr/share/misc/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./usr/src/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./var/backups/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./var/cache/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./var/lib/misc/
drwxrwsr-x 0/50              0 1969-12-31 16:00 ./var/local/
drwxrwxrwt 0/0               0 1969-12-31 16:00 ./var/lock/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./var/log/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./var/run/
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./var/spool/
drwxrwxrwt 0/0               0 1969-12-31 16:00 ./var/tmp/
lrwxrwxrwx 0/0               0 1969-12-31 16:00 ./usr/share/common-licenses/GFDL -> GFDL-1.3
lrwxrwxrwx 0/0               0 1969-12-31 16:00 ./usr/share/common-licenses/GPL -> GPL-3
lrwxrwxrwx 0/0               0 1969-12-31 16:00 ./usr/share/common-licenses/LGPL -> LGPL-3
lrwxrwxrwx 0/0               0 1969-12-31 16:00 ./usr/share/doc/base-files/FAQ -> README
-rw-r--r-- 0/0             293 1969-12-31 16:00 ./var/lib/dpkg/status.d/netbase
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./etc/network/
-rw-r--r-- 0/0            2932 1969-12-31 16:00 ./etc/protocols
-rw-r--r-- 0/0             887 1969-12-31 16:00 ./etc/rpc
-rw-r--r-- 0/0           19183 1969-12-31 16:00 ./etc/services
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./usr/share/doc/netbase/
-rw-r--r-- 0/0            8039 1969-12-31 16:00 ./usr/share/doc/netbase/changelog.gz
-rw-r--r-- 0/0             535 1969-12-31 16:00 ./usr/share/doc/netbase/copyright
-rw-r--r-- 0/0             682 1969-12-31 16:00 ./var/lib/dpkg/status.d/tzdata
-rwxr-xr-x 0/0             106 1969-12-31 16:00 ./usr/sbin/tzconfig
drwxr-xr-x 0/0               0 1969-12-31 16:00 ./usr/share/doc/tzdata/
-rw-r--r-- 0/0             974 1969-12-31 16:00 ./usr/share/doc/tzdata/README.Debian
-rw-r--r-- 0/0           12995 1969-12-31 16:00 ./usr/share/doc/tzdata/changelog.Debian.gz
-rw-r--r-- 0/0           61381 1969-12-31 16:00 ./usr/share/doc/tzdata/changelog.gz
-rw-r--r-- 0/0             307 1969-12-31 16:00 ./usr/share/doc/tzdata/copyright

I'm fairly certain that container runtimes are responsible for enforcing the read-only nature of this filesystem, e.g. see here: https://docs.docker.com/engine/reference/commandline/run/#mount-volume--v---read-only

Otherwise, that's all that's in the image, so there's not really anything useful for privilege escalation, unless your go binary allows for it.

@github-actions
Copy link

github-actions bot commented Feb 9, 2021

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AceHack @jonjohnsonjr