Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: CNI: avoid error with iptables setuid check (release-4.2) #3445

Merged
merged 1 commit into from
Dec 20, 2024
Merged

fix: CNI: avoid error with iptables setuid check (release-4.2) #3445

merged 1 commit into from
Dec 20, 2024

Conversation

dtrudg
Copy link
Member

@dtrudg dtrudg commented Dec 20, 2024

Description of the Pull Request (PR):

Pick #3444

Newer versions of the iptables command use a real vs effective uid check whether they are being called from a setuid script, and exit if that's the case.

This check was added because iptables can call out to binaries / libraries on PATH / LD_LIBRARY_PATH, and these are generally under control of the user - allowing privilege escalation attackes.

Singularity sanitizes the environment before running CNI plugins, which will call iptables, so we can set both real and effective uid to 0 to avoid the error.

While we are here, make PATH sanitization the default in the network code, rather than relying on the caller applying it.

This fixes or addresses the following GitHub issues:

Before submitting a PR, make sure you have done the following:

@dtrudg dtrudg self-assigned this Dec 20, 2024
@dtrudg dtrudg marked this pull request as ready for review December 20, 2024 12:40
@dtrudg dtrudg marked this pull request as draft December 20, 2024 13:22
@dtrudg dtrudg marked this pull request as ready for review December 20, 2024 14:34
@dtrudg dtrudg requested a review from tri-adam December 20, 2024 14:35
@dtrudg
fix: CNI: avoid error with iptables setuid check
2b5f914 
Newer versions of the `iptables` command use a real vs effective uid
check whether they are being called from a setuid script, and exit if
that's the case.

This check was added because iptables can call out to binaries /
libraries on `PATH` / `LD_LIBRARY_PATH`, and these are generally under
control of the user - allowing privilege escalation attackes.

Singularity sanitizes the environment before running CNI plugins, which
will call `iptables`, so we can set both real and effective uid to 0 to
avoid the error.

While we are here, make `PATH` sanitization the default in the network
code, rather than relying on the caller applying it. Add some tests
around the priv escalation / drop code.

Fixes sylabs#3318
@dtrudg dtrudg merged commit 6af15b6 into sylabs:release-4.2 Dec 20, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wobito wobito wobito approved these changes

@tri-adam tri-adam Awaiting requested review from tri-adam

Assignees

@dtrudg dtrudg

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dtrudg @wobito