Page MenuHomePhabricator
Create Task
Maniphest T187372

Blubber should implement a better file permissions convention
Closed, ResolvedPublic
Actions

Description

Blubber currently outputs a buildable Dockerfile in five distinct phases:PhasePrivileged, PhasePrivilegeDropped, PhasePreInstall, PhaseInstall, and PhasePostInstall. Instructions that could possibly allow arbitrary code to be executed are only output after the PhasePrivilegeDropped phase is reached and the runtime user is set to whatever is configured for runs.as, and this serves as a very basic security model to disallow users of Blubber to control what will eventually be run as root at container runtime. However, the COPY instructions as they're currently output result in files owned as root, not the runs.as user, so the currently implementation is borked.

Add to that, if the current implementation were fixed, the runtime user would then have read/write access to the application's files and installs dependencies. This is also not desirable.

After discussing it, this is the basic model we want using distinct levels of privilege (not just root and the runs.as user):

  1. (as root) Only APT package installation and other operations that can't lead to arbitrary execution are done.
  2. (as somebody) Install dependencies and copy over application files.
  3. (as somebody) Allow configuration for some application files/dirs to be chown'd as the runs.as user (temp build directories, etc.).
  4. (as [runs.as]) Execute entrypoint.

Revisions and Commits

rGBLBR Blubber
Restricted Differential RevisionrGBLBR47526283fea7 Fix application files/runtime permissions scheme

Related Objects

Event Timeline

dduvall created this task.Feb 14 2018, 8:19 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 14 2018, 8:19 PM
dduvall renamed this task from Blubber should support chown-ing selective project files/dirs to Blubber should implement a better file permissions convention.Feb 14 2018, 11:13 PM
dduvall claimed this task.
dduvall triaged this task as High priority.
dduvall updated the task description. (Show Details)
dduvall added a project: Release-Engineering-Team (Kanban).
dduvall moved this task from Backlog to Doing on the Release Pipeline (Blubber) board.
dduvall moved this task from Backlog to In-progress on the Release-Engineering-Team (Kanban) board.
dduvall added a revision: Restricted Differential Revision.Feb 22 2018, 12:20 AM
dduvall closed this task as Resolved by committing rGBLBR47526283fea7: Fix application files/runtime permissions scheme.Mar 5 2018, 9:25 PM
dduvall added a commit: rGBLBR47526283fea7: Fix application files/runtime permissions scheme.
dduvall mentioned this in T174631: Support for Blubber defaults and/or policies.Mar 8 2018, 8:09 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL