Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Sudo" and other suid binaries cannot be used inside containers #53

Open
nollium opened this issue Dec 29, 2024 · 0 comments
Open

"Sudo" and other suid binaries cannot be used inside containers #53

nollium opened this issue Dec 29, 2024 · 0 comments

Comments

@nollium
Copy link

nollium commented Dec 29, 2024
edited
Loading

Hello,

By default, crun sets the "no new privileges" flag to true, which prevents using suid binaries like sudo inside containers.
dockerc does not allow modifying this flag.

POC

Dockerfile:

FROM debian:bookworm-slim

COPY flag.txt /flag.txt
RUN chmod 400 /flag.txt

RUN apt-get update && \
    apt-get install -y openssh-server sudo gawk && \
    useradd -m apt42 && \
    echo 'apt42:apt42' | chpasswd && \
    mkdir /var/run/sshd && \
    echo "apt42 ALL=(ALL) NOPASSWD: /usr/bin/gawk" > /etc/sudoers.d/apt42 && \
    chmod 440 /etc/sudoers.d/apt42 && \
    echo "Port 2222" >> /etc/ssh/sshd_config

EXPOSE 2222

CMD ["/usr/sbin/sshd", "-Dd"]

Running sudo

ssh -p 2222 apt42@localhost 
apt42@localhost's password: 
...

$ sudo -l
sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.

Fix

This can be solved in the same way as #52 , by modifying src/main.zig and passing the flag to crun:

diff --git a/src/main.zig b/src/main.zig
index 0a87ef8..6ecf34d 100644
--- a/src/main.zig
+++ b/src/main.zig
@@ -180,6 +180,7 @@ fn getContainerFromArgs(file: std.fs.File, rootfs_absolute_path: []const u8, par
             switch (processVal.*) {
                 .object => |*process| {
                     try process.put("terminal", std.json.Value{ .bool = false });
+                    try process.put("noNewPrivileges", std.json.Value{ .bool = false });
 
                     const argsVal = process.getPtr("args") orelse @panic("no args key");
                     switch (argsVal.*) {

After this fix, the "expected" behavior is met:

ssh -p 2222 apt42@localhost 
apt42@localhost's password: 
...

$ sudo -l

sudo: unable to resolve host umoci-default: Name or service not known
Matching Defaults entries for apt42 on umoci-default:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User apt42 may run the following commands on umoci-default:
    (ALL) NOPASSWD: /usr/bin/gawk

By default, docker/podman allows "new privileges", so, to avoid confusing users, dockerc should probably do the same.
@nollium nollium changed the title "Sudo" and other suid binaries cannot be used inside the container "Sudo" and other suid binaries cannot be used inside containers Dec 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nollium