Su from normal user to root without password - easy privilege escalation?

[kost]

Currently root/su is configured on gliderlabs/alpine that su from normal user to root is possible without providing any password (just writing "su" and pressing Enter). I find that default bit problematic as any service should run as normal user and not root, but currently there is no gain in that. If attacker is able to gain normal user - he can easily escalate its privileges. Therefore, I think default should be more secure.

[jumanjiman]

reproducer

create Dockerfile

FROM gliderlabs/alpine:3.2

RUN adduser -D foo

USER foo
ENTRYPOINT ["sh"]

build

$ docker build --rm -t reproducer .
Sending build context to Docker daemon 2.048 kB
Step 0 : FROM gliderlabs/alpine:3.2
 ---> 87f9f1ccfaf3
Step 1 : RUN adduser -D foo
 ---> Running in 2be56b91cbb0
 ---> 278b39a6a512
Removing intermediate container 2be56b91cbb0
Step 2 : USER foo
 ---> Running in 8c27cbfe39dd
 ---> 86f00189e959
Removing intermediate container 8c27cbfe39dd
Step 3 : ENTRYPOINT sh
 ---> Running in 1a200b04f0cc
 ---> 273f0dd4afef
Removing intermediate container 1a200b04f0cc
Successfully built 273f0dd4afef

run the reproducer

$ docker run --rm -it reproducer
/ $ id
uid=1000(foo) gid=1000(foo)
/ $ su
/ # id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/ # exit
/ $ exit

[jumanjiman]

workaround 1

remove su and other dangerous commands.
example hardening script at https://gist.github.com/jumanjiman/f9d3db977846c163df12

workaround 2

assign passwd to root in Dockerfile

FROM gliderlabs/alpine:3.2

RUN adduser -D foo

RUN a_pass=$(echo fubar | mkpasswd) && \
    echo "root:${a_pass}" | chpasswd

USER foo
ENTRYPOINT ["sh"]

build

$ docker build --rm -t reproducer:workaround .
Sending build context to Docker daemon 2.048 kB
Step 0 : FROM gliderlabs/alpine:3.2
 ---> 87f9f1ccfaf3
Step 1 : RUN adduser -D foo
 ---> Using cache
 ---> 278b39a6a512
Step 2 : RUN a_pass=$(echo fubar | mkpasswd) &&     echo "root:${a_pass}" | chpasswd
 ---> Running in 932b1bf10573
Password for 'root' changed
 ---> 0504d0088586
Removing intermediate container 932b1bf10573
Step 3 : USER foo
 ---> Running in 7fe03fa1ff47
 ---> 7e3a0ed41fd9
Removing intermediate container 7fe03fa1ff47
Step 4 : ENTRYPOINT sh
 ---> Running in 3247ac072afd
 ---> 267e493c3504
Removing intermediate container 3247ac072afd
Successfully built 267e493c3504

attempt to reproduce

$ docker run --rm -it reproducer:workaround
/ $ id
uid=1000(foo) gid=1000(foo)
/ $ su
Password: 
su: incorrect password
/ $ id
uid=1000(foo) gid=1000(foo)
/ $ exit

[kost]

Thanks. I don't have problems with workaround, but this should be mentioned in big bold letters for someone building other images based on this or using this image for any purpose. I see lot of images built on this which means lot of them are vulnerable since they did not perform workarounds you mentioned. Other base docker distros do not share same problem.

[jumanjiman]

agreed. people assume it's safe. warning is appropriate

[andyshinn]

Anyone done any debugging into what might cause this? Before just documenting some warning that could be masking a serious bug, I'd rather gather some useful information to go upstream to see why this happens.

At first glance, su is actually a symlink to bbsuid. I'm guessing that is some sort of BusyBox su. But searches come up pretty nil and I can only find a Alpine package at https://github.com/alpinelinux/aports/blob/master/main/bbsuid/APKBUILD which points to a dead git repository at http://git.alpinelinux.org/cgit/bbsuid/.

It seems like it might be a Alpine specific project so maybe we can ask them what might be going on.

A third workaround is to remove the setuid bit on /bin/bbsuid (chmod u-s /bin/bbsuid). I wonder if this bit gets set in error somewhere?

[kost]

Workaround is workaround. Proper fix would be appreciated as well as security advisory.

Also, notice that there is no security contact for this image, so I abused github issues. In short, security contact would be nice in main README.md file - I've opened different issue for this:
#104

[andyshinn]

Sorry for late replies on this. I was definitely alarmed and am fully following. But am very sensitive to it and since it is more of an upstream thing, am trying to learn more about it.

I posed this question in the #alpine-devel IRC channel and it reads as if it is normal behavior at the moment.

However, one of the Alpine Linux lead developers did respond agreed that it would be prudent to try and fix it upstream (a la BusyBox). He kindly offered the following mailing list posts where it was brought up recently:

• http://lists.busybox.net/pipermail/busybox/2015-October/083392.html
• http://lists.busybox.net/pipermail/busybox/2015-November/083621.html
• http://lists.busybox.net/pipermail/busybox/2015-November/083629.html

I'd highly recommend in getting involved and voicing your opinion on the mailing lists. But I'll also be leaving this open and discussing with some other folks internally about the merits of this security issue. Security is definitely a high ticket issue, especially in container land these days.

It is not that we are ignoring issues like this. It is just that they are more upstream issues and we want to act as a friendly, good natured ambassador for the Docker community, which takes proper time and communication.

[frol]

WAT?! I've just discovered this "feature" myself. Could you please at least patch it for Docker comunity by setting ! as a hash of a password?!

RUN sed -ie 's/^root::/root:!:/' /etc/shadow

Alpine as a standalone OS may want to allow empty password for root, so people can access it after a fresh installation, but it is not the case for Docker images!

[jumanjiman]

Alpine as a standalone OS may want to allow empty password for root, so people can access it after a fresh installation, but it is not the case for Docker images!

👍

[frol]

@progrium @andyshinn Please, fix this quite critical issue! My PR is trivial, and I have tested it, yet it has been dangling there for two days already.