Add passwd/group file entries when running images as assigned user ID not in passwd file. #553
Conversation
|
Forgot to modify |
|
Should be noted that |
| RUN useradd -m -s /bin/bash -N -u $NB_UID $NB_USER && \ | ||
| mkdir -p $CONDA_DIR && \ | ||
| chown $NB_USER:$NB_GID $CONDA_DIR && \ | ||
| chmod g+w /etc/passwd /etc/group && \ |
There was a problem hiding this comment.
This makes it trivial for any user to become root in their container:
cp /etc/passwd /tmp/passwd
rootpass=`openssl passwd -1 root`
cat /tmp/passwd | sed "s/root:x/root:${rootpass}/" > /etc/passwdNow the user can su root with the password 'root'
I think we need another solution that doesn't grant universal su root access.
This does only affect putting users into the root group, so not the default case, but it does mean that putting users into the root group is equivalent to letting the users run as root. Is that the intended effect?
There was a problem hiding this comment.
I will check, but I don't believe that will work in secure environments like Kubernetes/OpenShift where you are blocked from running setuid executables and various related system calls behind the ability to change real user/group.
There was a problem hiding this comment.
Yep, this is restricted in Kubernetes/OpenShift.
jovyan@image:~$ su root
Password:
initgroups: Operation not permitted
This is because secure container environments will drop capabilities.
"securityContext": {
"capabilities": {
"drop": [
"KILL",
"MKNOD",
"SETGID",
"SETUID"
]
},
"privileged": false,
"runAsUser": 1000030000,
"seLinuxOptions": {
"level": "s0:c6,c0"
}
},
|
Re: Dockerfile.ppc64le, I think it's safe to leave that be for now. It's a good example of items we're not able to effectively maintain in this repo that should probably reside in another repository. |
| # Add entries to /etc/passwd and /etc/group if being run as user ID | ||
| # other than which the image has specified by the USER statement. | ||
|
|
||
| fix-passwd-entry |
There was a problem hiding this comment.
Is it possible for this logic to live in the start* scripts after tini runs instead of introducing additional scripts? I understand that Python and other programs may balk when the UID is not found in /etc/users and /etc/group, but does tini have that problem?
Simply looking to keep the number of separate workflow scripts we need to maintain low.
There was a problem hiding this comment.
The reason for adding it in an ENTRYPOINT script and doing it in there is that it gets applied even if someone overrides the CMD to do something else. For example, in JupyterHub, the CMD for the notebook images is overridden to execute jupyterhub-singleuser directly, bypassing start.sh.
There was a problem hiding this comment.
This will depend on the Spawner. It is true of KubeSpawner, but isn't true of DockerSpawner in general (deployments may override CMD, but it is not overridden by default).
Doing this as an entrypoint makes sense to me. I think the same might be said for much of what's in start.sh, though. Effectively, putting this and only this in entrypoint is saying that the passwd entry is more important than and should be harder to opt-out of than anything in start.sh. That may be right, but I think we should think carefully about this in the future.
|
Note, I will make one more change to this. I will add a check that doesn't do anything if |
|
Have made change to check running as GID of 0 since relying on group being that to write passwd and group files. So should all be good to go. Summarising what we have.
As far as is known there is no risk with making passwd/group files writable to root and doesn't provide any ability for use to get elevated privileges. FWIW, the only other way this whole thing could be solved is by by fiddling around with shared libraries and forced preloading of them into processes. This is talked about in: That other methods has lots of problems, including that nss_wrapper isn't packaged in stable for Debian/Ubuntu and that |
| id -G | grep -q -w $NB_UID; STATUS=$? | ||
| if [ $STATUS -eq 0 ]; then | ||
| echo "jovyan:x:$NB_UID:" >> /etc/group | ||
| fi |
There was a problem hiding this comment.
We have similar logic to this in start.sh, and it currently enables:
- setting user id
- setting user name
- granting sudo access
The start.sh logic requires launching the image as the root user rather than the root group. Effectively, we have a fork of two different behaviors with the same goal - one dedicated for openshift/some kubernetes deployments (this one) and one for most others (in start.sh). They accomplish the same thing in different ways and in different code paths. Perhaps we should reconcile them. It would probably be nice if we could accomplish the existing root-requiring logic in start.sh via root group rather than root user. Would you like to take a stab at that?
There was a problem hiding this comment.
The problem still gets back to fact that JupyterHub only runs jupyterhub-singleuser and not start-singleuser.sh. Because of my use case for JupyterHub that isn't a complete stumbling block though as it is already necessary to configure KubeSpawner to set supplemental group of users on the container since docker-stacks images aren't setup to use group root for everything, but rely on groups users when user ID is not 1000. Since already doing that, no drama to also override the startup command to be start-singleuser.sh. Since it internally uses start.sh to run jupyterhub-singleuser then integrating it with start.sh is probably okay.
I can't see that this will change the need to make passwd and group files writable to root group. The only way around that is messy and requires compiled C programs that are setuid so can become effective user of root, but not real user as kernel setuid() call blocked, such that can update files in that C program. Am not confident that isn't blocked by some configurations for running containers.
Even if make passwd and group writable, my recollection is that commands like usermod and groupmod don't work as that change is not enough. When I tested that it may have been on CentOS though so possible that Debian is different. So chance that have to still make changes to passwd and group manually. I will do some more testing and see what can be done using start.sh.
|
See instead #559 for new attempt to address this, with changes being done from |
|
Thanks for #559! |
Details of the reason for this change in #552
The fix for the problem works by providing a script for the container entry point which makes changes to the passwd and group files and then executes the original
tinicommand that was previously used for the container entry point.