Systemd: CVE-2016-6349 : information leak in systemd-machined

Created on 26 Jul 2016 · 3Comments · Source: systemd/systemd

Submission type

[X] Bug report
[ ] Request for enhancement (RFE)

_NOTE: Do not submit anything other than bug reports or RFEs via the issue tracker!_

systemd version the issue has been seen with

230

Used distribution

Arch Linux

Hello,
I am subscribed to the (Open Source Security) Mailinglist. I've found a CVE-Request for systemd-machined there. I don't think it's tracked here, isn't it?

Once docker containers register themselves to systemd-machined
by oci-register-machine. Any unprivileged user could run
machinectl to list every single containers running in the host
even if the containers do not belong to this user (including containers
belong to the root user), and access sensitive information associated
with any individual container including its internal IP address, OS
version, running processes, and file path for its rootfs.

$ machinectl status cc8d10c7b9892b75843d200d54d34a3a
cc8d10c7b9892b75843d200d54d34a3a(63633864313063376239383932623735)
           Since: Mon 2016-07-25 17:55:36 UTC; 34s ago
          Leader: 43494 (sleep)
         Service: docker; class container
            Root: /var/mnt/overlay/overlay/0429684e3da515ae4f11b8514c7b20f759613
         Address: 172.17.0.2
                  fe80::42:acff:fe11:2
              OS: Red Hat Enterprise Linux Server 7.2 (Maipo)
            Unit: docker-cc8d10c7b9892b75843d200d54d34a3a9435fe0f65527c254ebfd2d
                  └─43494 sleep 3000

Link to the CVE-Request: http://article.gmane.org/gmane.comp.security.oss.general/20035

We should definitly discuss this issue.

machine

Source

shibumi

Most helpful comment

To be clear, this is not a feature of Docker. This is a separate Project Atomic hook that requires a modified Docker daemon in order to be used. Docker doesn't register containers with systemd (it does register cgroup association by creating a transient unit, but that's a separate issue).

cyphar on 27 Jul 2016

👍4

All 3 comments

machined is a system service and is for registering containers running on the system. There's no concept of "user containers" with that, and unprivileged users do not have the privileges to even register any containers with machined.

If you ask me the CVE is complete and utter rubbish. At least against systemd. If Docker knows a concept of user containers, then good for them, but in that case they shouldn't register them with machined really, if they are not supposed to be visible on the host.

Generally though I think the CVE is without merit entirely, after all "ps" is generally unrestricted, and hence you can always see container processes running on the host anyway.

Closing hence.

poettering on 27 Jul 2016

cyphar on 27 Jul 2016

👍4

BTW, note that there are actually security policies enforced both on registering machines this way, as well as retrieving information about registered machines, both via the dbus policy. It's just that the default policies requires privileges for registering machines and no privileges for retrieving information about registered machines. If people want this more restrictive (or more liberal) they can easily configure that by adjust the dbus xml policy. I am very convinced however, that the default should be the way it currently is, as everything else just encoruages people to run all their client commands privileged, which certainly doesn't help security...

poettering on 28 Jul 2016

Was this page helpful?

0 / 5 - 0 ratings