Hacker News new | ask | show | jobs
by himinlomax 2380 days ago
> That's quite a leap from 'I can read /etc/shadow' to 'I am root'.

Of all the leaps in that post, that's the least leapy thing. `shadow` exists precisely so that only `root` can read its content, whereas before said content resided in `passwd` which _needs_ to be readable by all.

I see only two possibilities here. Either the people who set up that compile service are complete morons and run said compile as actual root in an actual VM; OR, more likely, shit runs in a container with an _apparent_ id of 0 but no actual privilege outside its temporary environment.
2 comments
londons_explore 2380 days ago
Running as actual root in a VM would be my preferred design. There are lots of times a user might need to apt-get some dependencies for their compile job. Let an attacker do whatever they like in the VM. Then delete the VM between users.

Docker containers aren't really a good security barrier, and a VM is much better (although VM escape vulnerabilities aren't unheard of).

link
rbanffy 2380 days ago
There are many ways a hostile program inside a VM can escape it and run code on the host or, at least, negatively affect it.
link
arpa 2380 days ago
Please do share how can one escape qemu.
link
jacquesm 2380 days ago
At your service:

https://www.techrepublic.com/article/vm-escape-flaw-in-qemu-...

link
arpa 2379 days ago
Beautiful! Thank you.
link
fghtr 2380 days ago
Not many if its Qubes OS.
link
rbanffy 2379 days ago
One would be quite enough.
link
fghtr 2379 days ago
In fact, Qubes is using hardware virtualization IOMMU/VT-d [0], which has been escaped only once in 2006 by the project founder [1].

[0] https://www.qubes-os.org/doc/architecture/

[1] https://en.wikipedia.org/wiki/Blue_Pill_(software)

link
rbanffy 2379 days ago
I trust Joanna Rutkowska's competence, but I wouldn't bet too much on chip makers not messing up again in the future.

It will be progressively harder, but it will happen.

link
zer0t3ch 2380 days ago
I don't know much containerization outside of docker, but you can definitely apt-get some dependencies even inside docker containers.
link
londons_explore 2380 days ago
Inside a docker container, you are root, so you can apt-get.
link
boring_twenties 2380 days ago
If it was in a typical container there'd be no hashed password for root, though. Just a ! or *.

In fact that's kinda the standard practice anyway nowadays (disallow logging in directly as root), so I'm really not sure what these guys are doing.

link