TOB-K8S-004: Pervasive world-accessible file permissions · Issue #81116 · kubernetes/kubernetes · GitHub | Latest TMZ Celebrity News & Gossip | Watch TMZ Live
Skip to content

TOB-K8S-004: Pervasive world-accessible file permissions #81116

New issue
New issue
Open
Open
TOB-K8S-004: Pervasive world-accessible file permissions#81116
Assignees
cailyn-codesDeeptanshuDas
Labels
area/securitygood first issueDenotes an issue ready for a new contributor, according to the "help wanted" guidelines.help wantedDenotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.kind/bugCategorizes issue or PR as related to a bug.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.priority/important-longtermImportant over the long term, but may not be staffed and/or may need multiple releases to complete.sig/nodeCategorizes an issue or PR as relevant to SIG Node.sig/storageCategorizes an issue or PR as relevant to SIG Storage.triage/acceptedIndicates an issue or PR is ready to be actively worked on.wg/security-auditCategorizes an issue or PR as relevant to WG Security Audit.
@cji

Description

@cji
cji
opened on Aug 8, 2019

This issue was reported in the Kubernetes Security Audit Report

Description
Kubernetes uses files and directories to store information ranging from key-value data to certificate data to logs. However, a number of locations have world-writable directories:

cluster/images/etcd/migrate/rollback_v2.go:110:	if err :=
os.MkdirAll(path.Join(migrateDatadir, "member", "snap"), 0777); err != nil {
cluster/images/etcd/migrate/data_dir.go:49:		err := os.MkdirAll(path, 0777)
cluster/images/etcd/migrate/data_dir.go:87:	err = os.MkdirAll(backupDir, 0777)
third_party/forked/godep/save.go:472:	err := os.MkdirAll(filepath.Dir(dst), 0777)
third_party/forked/godep/save.go:585:	err := os.MkdirAll(filepath.Dir(name), 0777)
pkg/volume/azure_file/azure_util.go:34:	defaultFileMode = "0777"
pkg/volume/azure_file/azure_util.go:35:	defaultDirMode  = "0777"
pkg/volume/emptydir/empty_dir.go:41:const perm os.FileMode = 0777

Figure 7.1: World-writable (0777) directories and defaults

Other areas of the system use world-writable files as well:

cluster/images/etcd/migrate/data_dir.go:147:	return ioutil.WriteFile(v.path, data, 0666)
cluster/images/etcd/migrate/migrator.go:120:	err := os.Mkdir(backupDir, 0666)
third_party/forked/godep/save.go:589:	return ioutil.WriteFile(name, []byte(body), 0666)
pkg/kubelet/kuberuntime/kuberuntime_container.go:306:			if err := m.osInterface.Chmod(containerLogPath, 0666); err != nil {
pkg/volume/cinder/cinder_util.go:271:			ioutil.WriteFile(name, data, 0666)
pkg/volume/fc/fc_util.go:118:	io.WriteFile(fileName, data, 0666)
pkg/volume/fc/fc_util.go:128:			io.WriteFile(name, data, 0666)
pkg/volume/azure_dd/azure_common_linux.go:77:			if err = io.WriteFile(name, data, 0666); err != nil {
pkg/volume/photon_pd/photon_util.go:55:	ioutil.WriteFile(fileName, data, 0666)
pkg/volume/photon_pd/photon_util.go:65:			ioutil.WriteFile(name, data, 0666)

Figure 7.2: World-writable (0666) files

A number of locations in the code base also rely on world-readable directories and files. For example, Certificate Signing Requests (CSRs) are written to a directory with mode 0755 (world readable and browseable) with the actual CSR having mode 0644 (world-readable):

// WriteCSR writes the pem-encoded CSR data to csrPath.
// The CSR file will be created with file mode 0644.
// If the CSR file already exists, it will be overwritten.
// The parent directory of the csrPath will be created as needed with file mode 0755.
func WriteCSR(csrDir, name string, csr *x509.CertificateRequest) error {
    ... 
    if err := os.MkdirAll(filepath.Dir(csrPath), os.FileMode(0755)); err != nil {
        ...
    }   

    if err := ioutil.WriteFile(csrPath, EncodeCSRPEM(csr), os.FileMode(0644)); err != nil {
       ... 
    }   
    ...
}

Figure 7.3: Documentation and code from cmd/kubeadm/app/util/pkiutil/pki_helpers.go

Exploit Scenario
Alice wishes to migrate some etcd values during normal cluster maintenance. Eve has local access to the cluster’s filesystem, and modifies the values stored during the migration process, granting Eve further access to the cluster as a whole.

Recommendation
Short term, audit all locations that use world-accessible permissions. Revoke those that are unnecessary. Very few files truly need to be readable by any user on a system. Almost none should need to allow arbitrary system users write access.

Long term, use system groups and extended Access Control Lists (ACLs) to ensure that all files and directories created by Kuberenetes are accessible by only those users and groups that should be able to access them. This will ensure that only the appropriate users with the correct Unix-level groups may access data. Kubernetes may describe what these groups should be, or create a role-based system to which administrators may assign users and groups.

Anything else we need to know?:

See #81146 for current status of all issues created from these findings.

The vendor gave this issue an ID of TOB-K8S-004 and it was finding 8 of the report.

The vendor considers this issue Medium Severity.

To view the original finding, begin on page 32 of the Kubernetes Security Review Report

Environment:

  • Kubernetes version: 1.13.4

Metadata

Metadata

Assignees

Labels

area/securitygood first issueDenotes an issue ready for a new contributor, according to the "help wanted" guidelines.help wantedDenotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.kind/bugCategorizes issue or PR as related to a bug.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.priority/important-longtermImportant over the long term, but may not be staffed and/or may need multiple releases to complete.sig/nodeCategorizes an issue or PR as relevant to SIG Node.sig/storageCategorizes an issue or PR as relevant to SIG Storage.triage/acceptedIndicates an issue or PR is ready to be actively worked on.wg/security-auditCategorizes an issue or PR as relevant to WG Security Audit.

Type

No type

Projects

SIG Node Bugs

Status

Triaged

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions

    TMZ Celebrity News – Breaking Stories, Videos & Gossip

    Looking for the latest TMZ celebrity news? You've come to the right place. From shocking Hollywood scandals to exclusive videos, TMZ delivers it all in real time.

    Whether it’s a red carpet slip-up, a viral paparazzi moment, or a legal drama involving your favorite stars, TMZ news is always first to break the story. Stay in the loop with daily updates, insider tips, and jaw-dropping photos.

    🎥 Watch TMZ Live

    TMZ Live brings you daily celebrity news and interviews straight from the TMZ newsroom. Don’t miss a beat—watch now and see what’s trending in Hollywood.