[jira] [Commented] (MESOS-5388) MesosContainerizerLaunch flags execute arbitrary commands via shell.
[ https://issues.apache.org/jira/browse/MESOS-5388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15405039#comment-15405039 ] Gilbert Song commented on MESOS-5388: - commit 9c77899431f8e414f5965a424888a889f6327135 Author: Gilbert Song Date: Tue Aug 2 15:21:38 2016 -0700 Removed unused user variable in filesystem linux isolator prepare. Review: https://reviews.apache.org/r/50580/ commit 9579a298d1b3e38d9e70261ebe2c893893282d72 Author: Gilbert Song Date: Tue Aug 2 15:46:31 2016 -0700 Added logs for pre-exec commands to sandbox in MesosContainerizerLaunch. Review: https://reviews.apache.org/r/50581/ > MesosContainerizerLaunch flags execute arbitrary commands via shell. > > > Key: MESOS-5388 > URL: https://issues.apache.org/jira/browse/MESOS-5388 > Project: Mesos > Issue Type: Bug > Components: containerization >Reporter: James DeFelice >Assignee: Gilbert Song > Labels: mesosphere, security > > For example, the docker volume isolator's containerPath is appended (without > sanitation) to a command that's executed in this manner. As such, it's > possible to inject arbitrary shell commands to be executed by mesos. > https://github.com/apache/mesos/blob/17260204c833c643adf3d8f36ad8a1a606ece809/src/slave/containerizer/mesos/launch.cpp#L206 > Perhaps instead of strings these commands could/should be sent as string > arrays that could be passed as argv arguments w/o shell interpretation? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-5388) MesosContainerizerLaunch flags execute arbitrary commands via shell
[ https://issues.apache.org/jira/browse/MESOS-5388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15403069#comment-15403069 ] Jie Yu commented on MESOS-5388: --- commit 9c6097f063405279efc07eec22457c2059653f07 Author: Gilbert Song Date: Mon Aug 1 17:07:00 2016 -0700 Updated filesystem linux isolator pre exec commands to be non-shell. Review: https://reviews.apache.org/r/50216/ > MesosContainerizerLaunch flags execute arbitrary commands via shell > --- > > Key: MESOS-5388 > URL: https://issues.apache.org/jira/browse/MESOS-5388 > Project: Mesos > Issue Type: Bug > Components: containerization >Reporter: James DeFelice >Assignee: Gilbert Song > Labels: mesosphere, security > > For example, the docker volume isolator's containerPath is appended (without > sanitation) to a command that's executed in this manner. As such, it's > possible to inject arbitrary shell commands to be executed by mesos. > https://github.com/apache/mesos/blob/17260204c833c643adf3d8f36ad8a1a606ece809/src/slave/containerizer/mesos/launch.cpp#L206 > Perhaps instead of strings these commands could/should be sent as string > arrays that could be passed as argv arguments w/o shell interpretation? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-5388) MesosContainerizerLaunch flags execute arbitrary commands via shell
[ https://issues.apache.org/jira/browse/MESOS-5388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15402727#comment-15402727 ] Jie Yu commented on MESOS-5388: --- commit ca5eaad82f69309de427aab3ec2ed7976c9cc850 Author: Gilbert Song Date: Mon Aug 1 13:05:53 2016 -0700 Updated docker volume isolator to return non-shell 'pre_exec_commands'. Review: https://reviews.apache.org/r/50535/ commit 202e1933c592f456420ec1c85fd9a21d0df9 Author: Gilbert Song Date: Mon Aug 1 13:03:16 2016 -0700 Updated mesos containerizer launch execute() to return 'EXIT_FAILURE'. Review: https://reviews.apache.org/r/50534/ > MesosContainerizerLaunch flags execute arbitrary commands via shell > --- > > Key: MESOS-5388 > URL: https://issues.apache.org/jira/browse/MESOS-5388 > Project: Mesos > Issue Type: Bug > Components: containerization >Reporter: James DeFelice >Assignee: Gilbert Song > Labels: mesosphere, security > > For example, the docker volume isolator's containerPath is appended (without > sanitation) to a command that's executed in this manner. As such, it's > possible to inject arbitrary shell commands to be executed by mesos. > https://github.com/apache/mesos/blob/17260204c833c643adf3d8f36ad8a1a606ece809/src/slave/containerizer/mesos/launch.cpp#L206 > Perhaps instead of strings these commands could/should be sent as string > arrays that could be passed as argv arguments w/o shell interpretation? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-5388) MesosContainerizerLaunch flags execute arbitrary commands via shell
[ https://issues.apache.org/jira/browse/MESOS-5388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15402575#comment-15402575 ] Jie Yu commented on MESOS-5388: --- commit 25626fcf8f63875ed0ccfe2ddb67a9998e5ba934 Author: Gilbert Song Date: Mon Aug 1 09:50:13 2016 -0700 Supported non-shell command in MesosLaunch to avoid arbitrary commands. Currently all pre_exec_commands are executed as shell commands in Mesos Launch. It is not safe because arbitrary shell command may be included in some user facing api (e.g., container_path). We should execute those command as a subprocess to prevent arbitrary shell command injection. Review: https://reviews.apache.org/r/50214/ > MesosContainerizerLaunch flags execute arbitrary commands via shell > --- > > Key: MESOS-5388 > URL: https://issues.apache.org/jira/browse/MESOS-5388 > Project: Mesos > Issue Type: Bug > Components: containerization >Reporter: James DeFelice >Assignee: Gilbert Song > Labels: mesosphere, security > > For example, the docker volume isolator's containerPath is appended (without > sanitation) to a command that's executed in this manner. As such, it's > possible to inject arbitrary shell commands to be executed by mesos. > https://github.com/apache/mesos/blob/17260204c833c643adf3d8f36ad8a1a606ece809/src/slave/containerizer/mesos/launch.cpp#L206 > Perhaps instead of strings these commands could/should be sent as string > arrays that could be passed as argv arguments w/o shell interpretation? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-5388) MesosContainerizerLaunch flags execute arbitrary commands via shell
[ https://issues.apache.org/jira/browse/MESOS-5388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15395044#comment-15395044 ] Jie Yu commented on MESOS-5388: --- This does not fully fix the problem. People can still inject arbitrary command using '; rm -rf / > MesosContainerizerLaunch flags execute arbitrary commands via shell > --- > > Key: MESOS-5388 > URL: https://issues.apache.org/jira/browse/MESOS-5388 > Project: Mesos > Issue Type: Bug > Components: containerization >Reporter: James DeFelice >Assignee: Gilbert Song > Labels: mesosphere, security > > For example, the docker volume isolator's containerPath is appended (without > sanitation) to a command that's executed in this manner. As such, it's > possible to inject arbitrary shell commands to be executed by mesos. > https://github.com/apache/mesos/blob/17260204c833c643adf3d8f36ad8a1a606ece809/src/slave/containerizer/mesos/launch.cpp#L206 > Perhaps instead of strings these commands could/should be sent as string > arrays that could be passed as argv arguments w/o shell interpretation? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-5388) MesosContainerizerLaunch flags execute arbitrary commands via shell
[ https://issues.apache.org/jira/browse/MESOS-5388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15394547#comment-15394547 ] Jie Yu commented on MESOS-5388: --- commit 5299df79c85dcc4205b014a8bd360bc8a4cdf8e7 Author: Gilbert Song Date: Tue Jul 26 14:11:20 2016 -0700 Updated pre exec commands as non-shell in docker volume isolator. By adding apostrophes to mount 'source' and 'target', arbitraty commands defined by users postfixed to 'container_path' will take no effect. 'mount' command will return an error for invalid mount 'target'. Review: https://reviews.apache.org/r/50215/ > MesosContainerizerLaunch flags execute arbitrary commands via shell > --- > > Key: MESOS-5388 > URL: https://issues.apache.org/jira/browse/MESOS-5388 > Project: Mesos > Issue Type: Bug > Components: containerization >Reporter: James DeFelice >Assignee: Gilbert Song > Labels: mesosphere, security > Fix For: 1.0.0, 1.1.0 > > > For example, the docker volume isolator's containerPath is appended (without > sanitation) to a command that's executed in this manner. As such, it's > possible to inject arbitrary shell commands to be executed by mesos. > https://github.com/apache/mesos/blob/17260204c833c643adf3d8f36ad8a1a606ece809/src/slave/containerizer/mesos/launch.cpp#L206 > Perhaps instead of strings these commands could/should be sent as string > arrays that could be passed as argv arguments w/o shell interpretation? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-5388) MesosContainerizerLaunch flags execute arbitrary commands via shell
[
https://issues.apache.org/jira/browse/MESOS-5388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15286128#comment-15286128
]
Guangya Liu commented on MESOS-5388:
Yes, the {{docker volume isolator}} already filtered out the
{{CommandInfo.commands}} as the {{commands}} in {{docker volume isolator}} is
only for {{launchInfo}}
{code}
Future> DockerVolumeIsolatorProcess::_prepare(
const ContainerID& containerId,
const vector& targets,
const list>& futures)
{
ContainerLaunchInfo launchInfo; <
launchInfo.set_namespaces(CLONE_NEWNS);
vector messages;
vector sources;
foreach (const Future& future, futures) {
if (!future.isReady()) {
messages.push_back(future.isFailed() ? future.failure() : "discarded");
continue;
}
sources.push_back(strings::trim(future.get()));
}
if (!messages.empty()) {
return Failure(strings::join("\n", messages));
}
CHECK_EQ(sources.size(), targets.size());
for (size_t i = 0; i < sources.size(); i++) {
const string& source = sources[i];
const string& target = targets[i];
LOG(INFO) << "Mounting docker volume mount point '" << source
<< "' to '" << target << "' for container " << containerId;
const string command = "mount -n --rbind " + source + " " + target;
launchInfo.add_commands()->set_value(command); <
}
return launchInfo;
}
{code}
> MesosContainerizerLaunch flags execute arbitrary commands via shell
> ---
>
> Key: MESOS-5388
> URL: https://issues.apache.org/jira/browse/MESOS-5388
> Project: Mesos
> Issue Type: Bug
>Reporter: James DeFelice
> Labels: mesosphere, security
>
> For example, the docker volume isolator's containerPath is appended (without
> sanitation) to a command that's executed in this manner. As such, it's
> possible to inject arbitrary shell commands to be executed by mesos.
> https://github.com/apache/mesos/blob/17260204c833c643adf3d8f36ad8a1a606ece809/src/slave/containerizer/mesos/launch.cpp#L206
> Perhaps instead of strings these commands could/should be sent as string
> arrays that could be passed as argv arguments w/o shell interpretation?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (MESOS-5388) MesosContainerizerLaunch flags execute arbitrary commands via shell
[ https://issues.apache.org/jira/browse/MESOS-5388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15285218#comment-15285218 ] Gilbert Song commented on MESOS-5388: - [~jdef]thanks for reporting the issue. To better understand, is this issue referring that any arbitrary commands may be included in `container_path`? which make it dangerous since we will run a shell command including that `contianer_path`. First, we should do more on users, and we have MESOS-4936 to support container capabilities. Second, container_path should not be regarded as totally without sanitation (we should do more though), because in docker volume isolator prepare() we will `mkdir` for the container_path: https://github.com/apache/mesos/blame/bd9d208972dbfae4e0d15b053b754de3e02a763e/src/slave/containerizer/mesos/isolators/docker/volume/isolator.cpp#L375~#L380 which will cause a failure in prepare() before we set CommandInof.commands, so many dangerous commands attached with the container_path should be filtered out. > MesosContainerizerLaunch flags execute arbitrary commands via shell > --- > > Key: MESOS-5388 > URL: https://issues.apache.org/jira/browse/MESOS-5388 > Project: Mesos > Issue Type: Bug >Reporter: James DeFelice > Labels: mesosphere, security > > For example, the docker volume isolator's containerPath is appended (without > sanitation) to a command that's executed in this manner. As such, it's > possible to inject arbitrary shell commands to be executed by mesos. > https://github.com/apache/mesos/blob/17260204c833c643adf3d8f36ad8a1a606ece809/src/slave/containerizer/mesos/launch.cpp#L206 > Perhaps instead of strings these commands could/should be sent as string > arrays that could be passed as argv arguments w/o shell interpretation? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
