[zonidjan]

> Recently I saw a tweet where someone mentioned that you can include /dev/stdin in C code compiled with gcc. This is, to say the very least, surprising.

You can also call something to read from stdin in your Makefile, or read from stdin in your executable.

> But is it equally obvious that the compiler also needs to be sandboxed?

Yes. Why wouldn't it be sandboxed?!

> I even found one service that ... showed me the hash of the root password.

Wow. That's bad. Of course, that's not a compiler issue, but rather a system administration issue. /etc/shadow should not be world-readable.

> This effectively means this service is running compile tasks as root.

That's quite a leap from 'I can read /etc/shadow' to 'I am root'.

> Interestingly, including pseudo-files from /proc does not work. It seems gcc treats them like empty files.

More accurately, it seems the system treats them like empty files. gcc does a stat on the file, which returns 'regular file' and 'size=0'. gcc therefore calls read() with a length of 0 bytes.

[himinlomax]

> That's quite a leap from 'I can read /etc/shadow' to 'I am root'.

Of all the leaps in that post, that's the least leapy thing. `shadow` exists precisely so that only `root` can read its content, whereas before said content resided in `passwd` which _needs_ to be readable by all.

I see only two possibilities here. Either the people who set up that compile service are complete morons and run said compile as actual root in an actual VM; OR, more likely, shit runs in a container with an _apparent_ id of 0 but no actual privilege outside its temporary environment.

[londons_explore]

Running as actual root in a VM would be my preferred design. There are lots of times a user might need to apt-get some dependencies for their compile job. Let an attacker do whatever they like in the VM. Then delete the VM between users.

Docker containers aren't really a good security barrier, and a VM is much better (although VM escape vulnerabilities aren't unheard of).

[rbanffy]

There are many ways a hostile program inside a VM can escape it and run code on the host or, at least, negatively affect it.

[arpa]

Please do share how can one escape qemu.

[jacquesm]

At your service:

https://www.techrepublic.com/article/vm-escape-flaw-in-qemu-...

[arpa]

Beautiful! Thank you.

[fghtr]

Not many if its Qubes OS.

[rbanffy]

One would be quite enough.

[fghtr]

In fact, Qubes is using hardware virtualization IOMMU/VT-d [0], which has been escaped only once in 2006 by the project founder [1].

[0] https://www.qubes-os.org/doc/architecture/

[1] https://en.wikipedia.org/wiki/Blue_Pill_(software)

[zer0t3ch]

I don't know much containerization outside of docker, but you can definitely apt-get some dependencies even inside docker containers.

[londons_explore]

Inside a docker container, you are root, so you can apt-get.

[boring_twenties]

If it was in a typical container there'd be no hashed password for root, though. Just a ! or *.

In fact that's kinda the standard practice anyway nowadays (disallow logging in directly as root), so I'm really not sure what these guys are doing.

[simias]

>That's quite a leap from 'I can read /etc/shadow' to 'I am root'.

Is it? There are alternatives of course but I would say that without further clues that seems the most likely explanation.

I agree with the rest of your points though. In general it seems fairly obvious that build systems should be sandboxed if they're building "foreign" code, after all if you can mess with the source code you can probably affect the build system as well, and from there you can basically do anything you want.

[antirez]

> More accurately, it seems the system treats them like empty files.

The reason is that the content is generated by a callback that the kernel calls, and the kernel does not want the content to be generated just in order to stat(2) the file, so it shows a zero length, and assumes that things like /bin/cat will just read(2) until EOF is returned, without trying to be too smart.

[yk]

> Yes. Why wouldn't it be sandboxed?!

Famous last words.

[softwarelimits]

If that was my server I would of course put a joke in /etc/shadow - did you try to brute force the hashes? It would not be a great surprise to find some obvious funny content if you try?

[boop-the-snoot]

That'd be pretty funny :D

Like for example, if the entry for root in the joke /etc/shadow was the hash of "Thank you Mario! But our princess is in another castle!"

[tlavoie]

That's a pretty long passphrase, so someone would have to have put it in the word list directly to ever guess something that long. Would be fun though.

[ryanlol]

How many of your servers actually have jokes in /etc/shadow?

[m463]

only the shadow knows

[ryanlol]

How many systems have you ran into with world readable /etc/shadow?