Add option to control ownership of containerd socket

[viccie30]

Adds support for setting the ownership (for Unix) or access rights (for Windows) for containerd's sockets using user and group names. Also adds a --group flag to containerd, similar to buildkitd.

Would close #10454.

ACL for Windows named pipe

The named pipe is accessible to Administrators and Local System, in addition to a user or group specified by the configuration or on the command line. This matches what buildkit does and also Windows' default ACL for named pipes. Windows' default also adds read access for all authenticated and anonymous users (see below), but I didn't think that'd be appropriate here.

Discovering default ACL

I got the default ACL for named pipes using the following Go program:

package main

import (
	"fmt"

	"golang.org/x/sys/windows"
)

func main() {
	var err error
	var acl *windows.ACL
	var sd *windows.SECURITY_DESCRIPTOR

	if err = windows.RtlDefaultNpAcl(&acl); err != nil {
		fmt.Errorf("RtlDefaultNpAcl failed: %w", err)
		return
	}

	if sd, err = windows.NewSecurityDescriptor(); err != nil {
		fmt.Errorf("NewSecurityDescriptor failed: %w", err)
		return
	}

	if err = sd.SetDACL(acl, true, true); err != nil {
		fmt.Errorf("SetDACL failed: %w", err)
		return
	}

	fmt.Println(sd)
}

And parsed it using winsddl:

$ python winsddl/sd.py -t namedpipe "D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GA;;;<OWNER>)(A;;GR;;;WD)(A;;GR;;;AN)"
D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GA;;;<OWNER>)(A;;GR;;;WD)(A;;GR;;;AN)
    Discretionary ACL: (A;;GA;;;SY)(A;;GA;;;BA)(A;;GA;;;<OWNER>)(A;;GR;;;WD)(A;;GR;;;AN)

        ACE 1: A;;GA;;;SY
            Type: A (ACCESS_ALLOWED_ACE_TYPE)
            Access rights: GA   (0x10000000)
                0x10000000 GENERIC_ALL  (Generic right mapped to every other existing right)
            Trustee: SY (S-1-5-18) (Local System)

        ACE 2: A;;GA;;;BA
            Type: A (ACCESS_ALLOWED_ACE_TYPE)
            Access rights: GA   (0x10000000)
                0x10000000 GENERIC_ALL  (Generic right mapped to every other existing right)
            Trustee: BA (S-1-5-32-544) (Administrators)

        ACE 3: A;;GA;;;<OWNER>
            Type: A (ACCESS_ALLOWED_ACE_TYPE)
            Access rights: GA   (0x10000000)
                0x10000000 GENERIC_ALL  (Generic right mapped to every other existing right)
            Trustee: <OWNER>

        ACE 4: A;;GR;;;WD
            Type: A (ACCESS_ALLOWED_ACE_TYPE)
            Access rights: GR   (0x80000000)
                0x80000000 FILE_GENERIC_READ    (Generic right to read (mapped to FILE_READ_ATTRIBUTES | FILE_READ_DATA | FILE_READ_EA | SYNCHRONIZE | READ_CONTROL))
            Trustee: WD (S-1-1-0) (Everyone) (Authenticated users, Guests, and Anonymous remote users in XP SP1 and earlier, or if EveryoneIncludesAnonymous=1)

        ACE 5: A;;GR;;;AN
            Type: A (ACCESS_ALLOWED_ACE_TYPE)
            Access rights: GR   (0x80000000)
                0x80000000 FILE_GENERIC_READ    (Generic right to read (mapped to FILE_READ_ATTRIBUTES | FILE_READ_DATA | FILE_READ_EA | SYNCHRONIZE | READ_CONTROL))
            Trustee: AN (S-1-5-7) (Anonymous Logon) (Group that includes all users who have logged on anonymously, maintained by the system)

[k8s-ci-robot]

Hi @viccie30. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[AkihiroSuda]

This is insecure and should not be implemented, at least for Linux.

This matches what buildkit does and also Windows' default ACL for named pipes.

BuildKit is not comparable here, as BuiltKit does not allow privileged operations by default

[viccie30]

This is insecure and should not be implemented, at least for Linux.

What is insecure about it? For Linux the only change is that besides accepting numeric uids and gids, the code now also accepts and parses user and group names?

This matches what buildkit does and also Windows' default ACL for named pipes.

BuildKit is not comparable here, as BuiltKit does not allow privileged operations by default

With this change containerd won't either. Default access is restricted to Administrators and Local System as well, unless explicitly changed by the configuration or command line.

[AkihiroSuda]

What is insecure about it? For Linux the only change is that besides accepting numeric uids and gids, the code now also accepts and parses user and group names?

Sorry, I forgot we have been already supporting uids and gids. This probably should be deprecated though.

[viccie30]

Sorry, I forgot we have been already supporting uids and gids. This probably should be deprecated though.

Can I ask why? Giving selected users access to use containerd without requiring them to have root access otherwise seems useful.

[AkihiroSuda]

Sorry, I forgot we have been already supporting uids and gids. This probably should be deprecated though.

Can I ask why? Giving selected users access to use containerd without requiring them to have root access otherwise seems useful.

Because an access to the socket equates to the root, and some users do not know this fact.

Why not just use sudo explicitly?

[samuelkarp]

Because an access to the socket equates to the root, and some users do not know this fact.

This is correct. Access to the socket means a user can create a container that has no restrictions, at least on Linux.

[apurv15]

I agree that this PR will add first class support for restricting access to certain users on Windows.
As an alternative, protected prefix paths for namedpipes can be used as is described here - https://www.tiraniddo.dev/2017/11/named-pipe-secure-prefixes.html
But i could not find any official documentation around this.

[k8s-ci-robot]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.