-
|
Currently, scanning container images with Dockle reports the check DKL-LI-0001 failing: This is in relation with the following cve I am wondering if there is any way this can get exploited or if this is a false positive from dockle? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
Busybox is not installed SUID in images, so it is not possible to use it as an escalation tool, and only allows passwordless escalation from sources listed in /etc/securetty. The su included with util-linux does not allow for escalation without password from any source other than a tty listed in /etc/securetty. PAM is similarly configured. Honestly, Alpine should have disputed CVE-2019-5021, as the Alpine image was never vulnerable either, for the same reason. If it were to happen today, Alpine probably would reject this CVE. We could scramble the root password to quiet the tool, but this would either result in a predictable password (not a big deal because not SUID), or images which cannot be reproduced. I dislike both options, especially since they are mitigations for a CVE which Alpine should have disputed. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for the detailed answer! I will create an issue on the Dockle project and will skip that check in the meantime. |
Beta Was this translation helpful? Give feedback.
Busybox is not installed SUID in images, so it is not possible to use it as an escalation tool, and only allows passwordless escalation from sources listed in /etc/securetty. The su included with util-linux does not allow for escalation without password from any source other than a tty listed in /etc/securetty. PAM is similarly configured.
Honestly, Alpine should have disputed CVE-2019-5021, as the Alpine image was never vulnerable either, for the same reason. If it were to happen today, Alpine probably would reject this CVE.
We could scramble the root password to quiet the tool, but this would either result in a predictable pass…