Page MenuHomePhabricator

Blubber should implement a better file permissions convention
Closed, ResolvedPublic

Description

Blubber currently outputs a buildable Dockerfile in five distinct phases:PhasePrivileged, PhasePrivilegeDropped, PhasePreInstall, PhaseInstall, and PhasePostInstall. Instructions that could possibly allow arbitrary code to be executed are only output after the PhasePrivilegeDropped phase is reached and the runtime user is set to whatever is configured for runs.as, and this serves as a very basic security model to disallow users of Blubber to control what will eventually be run as root at container runtime. However, the COPY instructions as they're currently output result in files owned as root, not the runs.as user, so the currently implementation is borked.

Add to that, if the current implementation were fixed, the runtime user would then have read/write access to the application's files and installs dependencies. This is also not desirable.

After discussing it, this is the basic model we want using distinct levels of privilege (not just root and the runs.as user):

  1. (as root) Only APT package installation and other operations that can't lead to arbitrary execution are done.
  2. (as somebody) Install dependencies and copy over application files.
  3. (as somebody) Allow configuration for some application files/dirs to be chown'd as the runs.as user (temp build directories, etc.).
  4. (as [runs.as]) Execute entrypoint.

Event Timeline

dduvall created this task.Feb 14 2018, 8:19 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 14 2018, 8:19 PM
dduvall renamed this task from Blubber should support chown-ing selective project files/dirs to Blubber should implement a better file permissions convention.Feb 14 2018, 11:13 PM
dduvall claimed this task.
dduvall triaged this task as High priority.
dduvall updated the task description. (Show Details)
dduvall moved this task from Backlog to Doing on the Release Pipeline (Blubber) board.
dduvall moved this task from Backlog to In-progress on the Release-Engineering-Team (Kanban) board.