[jira] [Created] (MESOS-9564) Logrotate container logger lets tasks execute arbitrary commands in the Mesos agent's namespace

Mon, 11 Feb 2019 17:20:16 -0800 

Joseph Wu created MESOS-9564:
--------------------------------

             Summary: Logrotate container logger lets tasks execute arbitrary 
commands in the Mesos agent's namespace
                 Key: MESOS-9564
                 URL: https://issues.apache.org/jira/browse/MESOS-9564
             Project: Mesos
          Issue Type: Bug
          Components: agent, modules
            Reporter: Joseph Wu


The non-default {{LogrotateContainerLogger}} module allows tasks to configure 
sandbox log rotation (See 
http://mesos.apache.org/documentation/latest/logging/#Containers ).  The 
{{logrotate_stdout_options}} and {{logrotate_stderr_options}} in particular let 
the task specify free-form text, which is written to a configuration file 
located in the task's sandbox.  The module does not sanitize or check this 
configuration at all.

The logger itself will eventually run {{logrotate}} against the written 
configuration file, but the logger is not isolated in the same way as the task. 
 For both the Mesos and Docker containerizers, the logger binary will run in 
the same namespace as the Mesos agent.  This makes it possible to affect files 
outside of the task's mount namespace.

Two modes of attack are known to be problematic:
* Changing or adding entries to the configuration file.  Normally, the 
configuration file contains a single file to rotate:
{code}
/path/to/sandbox/stdout {
  <logrotate_stdout_options>
}
{code}
It is trivial to add text to the {{logrotate_stdout_options}} to add a new 
entry:
{code}
/path/to/sandbox/stdout {
  <arbitrary options>
}
/path/to/other/file/on/disk {
  <arbitrary options>
}
{code}
* Logrotate's {{postrotate}} option allows for execution of arbitrary commands. 
 This can again be supplied with the {{logrotate_stdout_options}} variable.
{code}
/path/to/sandbox/stdout {
  postrotate
    rm -rf /
  endscript
}
{code}

Some potential fixes to consider:
* Overwrite the .logrotate.conf files each time. This would give only 
milliseconds between writing and calling logrotate for a thirdparty to modify 
the config files maliciously. This would not help if the task itself had 
postrotate options in its environment variables.
* Sanitize the free-form options field in the environment variables to remove 
postrotate or injection attempts like }\n/path/to/some/file\noptions{.
* Refactor parts of the Mesos isolation code path so that the logger and IO 
switchboard binary live in the same namespaces as the container (instead of the 
agent). This would also be nice in that the logger's CPU usage would then be 
accounted for within the container's resources.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to