Security risk using /var/tmp as HOME #699
Labels
Comments
|
Already fixed... https://github.com/puppetlabs/puppetlabs-docker/pull/698/files |
|
No, looking at the tag for 3.13.0 I can see that '/root' was already put in
before the release was made.
v3.13.0...main
…On Wed, Dec 16, 2020 at 9:56 AM Marti Raudsepp ***@***.***> wrote:
Was the insecure behavior ever part of any Docker release?
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#699 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AL57WWUXXHRUOAF2F6EXKD3SVBY5RANCNFSM4U5R2YWQ>
.
|
|
@sdinten : Sorry this isn't right. So yes the issue is still part of the current release. v3.12.1...v3.13.0 |
|
@sebastianTC you're right (again). It seems that PR #698 (already merged) did not make it into the release. @adrianiurca can you put this pull request in the following update? |
|
Fixed as of 3.13.1 (PR #698) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
The fix for #689 is using the path /var/tmp as home folder.
This folder is writable by everybody.
This could have security impact:
Regarding https://docs.docker.com/engine/reference/commandline/cli/ :
By default, the Docker command line stores its configuration files in a directory called .docker within your $HOME directory. Docker manages most of the files in the configuration directory and you should not modify them. However, you can modify the config.json file to control certain aspects of how the docker command behaves.
So every user could invoke changing of docker settings by creating config in /var/tmp/.docker/
@sebastianTC thanks for mentioning this!
Expected Behavior
Everything works as expected but there is a security risk
Steps to Reproduce
Run puppet agent with an environment that uses the docker module
Environment
All
The text was updated successfully, but these errors were encountered: