Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker auth still not proper #47

Open
bviktor opened this issue Jan 9, 2020 · 5 comments
Open

Docker auth still not proper #47

bviktor opened this issue Jan 9, 2020 · 5 comments

Comments

@bviktor
Copy link
Collaborator

bviktor commented Jan 9, 2020

No description provided.

@bviktor
Copy link
Collaborator Author

bviktor commented Jan 9, 2020
edited
Loading

https://stackoverflow.com/questions/18062026/resolve-symlinks-in-go

Disable and uninstall current version:

docker plugin disable openpolicyagent/opa-docker-authz-v2:0.5
docker plugin uninstall openpolicyagent/opa-docker-authz-v2:0.5

Grab sources:

git clone https://github.com/open-policy-agent/opa-docker-authz.git

Build:

make clean
make image
docker run openpolicyagent/opa-docker-authz:0.5

If works, deploy:

make plugin
docker plugin disable openpolicyagent/opa-docker-authz-v2:0.5
docker plugin set openpolicyagent/opa-docker-authz-v2:0.5 opa-args="-policy-file /opa/policies/authz.rego"
docker plugin enable openpolicyagent/opa-docker-authz-v2:0.5
systemctl restart docker

@bviktor
Copy link
Collaborator Author

bviktor commented Jan 9, 2020
edited
Loading

The bigger problem is that users are allowed to disable and even uninstall plugins.

You can work around that by enforcing the plugin via /lib/systemd/system/docker.service:

ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --authorization-plugin openpolicyagent/opa-docker-authz-v2:0.5

Yes, you have to hardcode the version.

BUT then you have to make sure that you installed the plugin first:

docker plugin install --grant-all-permissions openpolicyagent/opa-docker-authz-v2:0.5 opa-args="-policy-file /opa/policies/authz.rego"

Otherwise docker will NEVER succeed starting up. Ridiculous.

Edit: nevermind. Adding it to systemd is the exact same thing as specifying it in daemon.json.

@bviktor
Copy link
Collaborator Author

bviktor commented Jan 9, 2020

Sooo, after all, it's literally, 100% impossible to prevent users from editing system files and gaining root access.

Docker will not start up, if you disable the AuthZ plugin, BUT if it's already running (which it should normally), you can

docker plugin disable openpolicyagent/opa-docker-authz-v2:0.5
docker run -it --mount type=bind,source=/,target=/host-root ubuntu bash

And that's it, you have root access. Brilliant design. A+.

@bviktor
Copy link
Collaborator Author

bviktor commented Jan 9, 2020

open-policy-agent/opa-docker-authz#35

bviktor added a commit that referenced this issue Jan 14, 2020
@bviktor
Revert AuthZ policy, RO applies to volumes as well
2666dc8 
Refs #47
bviktor added a commit that referenced this issue Apr 1, 2020
@bviktor
Alleged fix for docker-compose
2cbfc58 
Refs #47
@bviktor
Copy link
Collaborator Author

bviktor commented Apr 19, 2021

https://golang.org/pkg/path/filepath/#EvalSymlinks
open-policy-agent/opa-docker-authz#34
https://www.openpolicyagent.org/docs/latest/policy-language/
https://github.com/projectatomic/docker-novolume-plugin/blob/master/plugin.go
https://yourbasic.org/golang/convert-string-to-byte-slice/
https://golang.org/pkg/fmt/
https://medium.com/rungo/working-with-json-in-go-7e3a37c5a07b
https://stackoverflow.com/questions/35660467/how-to-access-fields-of-a-json-in-go

Need to access the raw JSON and sed the appropriate paths.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bviktor