kubernetes / kubernetes

TOB-K8S-004: Pervasive world-accessible file permissions

Summary of Open Issue: TOB-K8S-004 - Pervasive World-Accessible File Permissions

Issue ID: TOB-K8S-004 Date Reported: August 8, 2019 Severity: Medium Environment: Kubernetes version 1.13.4 Labels: security, bug, important-longterm, help wanted, good first issue

Description

This issue arises from the Kubernetes Security Audit Report, highlighting several instances of files and directories within Kubernetes that have world-writable permissions (0777 for directories, 0666 for files). The audit found specific code locations where such permissive settings were either explicitly set or set as defaults across various components, including etcd migration, Azure, and emptydir volumes.

Key Findings

  1. World-Writable Directories: Multiple directories are created with 0777 permissions, allowing any user on the system to write to them.
  • Examples include:
  • cluster/images/etcd/migrate/data_dir.go
  • pkg/volume/azure_file/azure_util.go (defaultDirMode set to 0777)
  1. World-Writable Files: Several files are created with 0666 permissions, which permits all users to read and write to them.
  • Examples include:
  • pkg/kubelet/kuberuntime/kuberuntime_container.go (container log paths set to 0666)
  1. World-Readable Permissions: Some files, like Certificate Signing Requests (CSRs), are created with world-readable permissions (0644) in publicly accessible directories (0755).

Exploit Scenarios

An attacker with local filesystem access could modify critical data during operations, such as migration processes, leading to elevated privileges or unauthorized access.

Recommendations

  • Short Term: Audit and revoke unnecessary world-accessible permissions to minimize exposure. Transition files and directories to more restrictive permissions.
  • Long Term: Implement group memberships and Extended Access Control Lists (ACLs) to ensure that files are accessible only to the appropriate users and groups, enhancing security.

Current Status

The issue remains under observation with various community members discussing potential solutions and the implications of changing permissions. Some parts related to kubeadm have been resolved, but other areas still require contributions and review.

Overall, addressing these pervasive permissions will enhance Kubernetes’ security profile and reduce audit complications for operators.

Community Engagement

Active discussions continue in the thread, with developers assigning themselves to tackle specific instances of this issue, indicating the interest and necessity for refining the permissions model across the project.

For further insights, refer to the original Kubernetes Security Review Report (page 32) and related threads for context and updates.