<div dir="ltr"><br><div><br></div><div>Thanks! and I'll watch the video...</div><div><br></div><div>Privileged containers!.... never!.... </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 19, 2019 at 9:06 PM Michael Jennings <<a href="mailto:mej@lanl.gov">mej@lanl.gov</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Thursday, 19 September 2019, at 19:27:38 (-0400),<br>
Fulcomer, Samuel wrote:<br>
<br>
> I obviously haven't been keeping up with any security concerns over the use<br>
> of Singularity. In a 2-3 sentence nutshell, what are they?<br>
<br>
So before I do that, if you have a few minutes, I do think you'll find<br>
it worth your time to go to <a href="https://youtu.be/H6VrjowOOF4?t=2361" rel="noreferrer" target="_blank">https://youtu.be/H6VrjowOOF4?t=2361</a> (it'll<br>
start about 39 minutes in) and watch at least those next 8 or so minutes.<br>
I go into some detail about the security track records of multiple<br>
container runtimes and provide factual data so that folks can make their<br>
own risk assessments rather than just giving my personal opinion. (The<br>
video does cut off the right side of the slides, but the slide deck is<br>
available at <a href="https://permalink.lanl.gov/object/tr?what=info:lanl-repo/lareport/LA-UR-19-22663" rel="noreferrer" target="_blank">https://permalink.lanl.gov/object/tr?what=info:lanl-repo/lareport/LA-UR-19-22663</a><br>
for anyone interested.)<br>
<br>
If you really don't want to watch the video, though, I can provide a few<br>
of the data points.<br>
<br>
First off, if you have not read it before, you really should read<br>
Matthias Gerstner's assessment after doing a code review and security<br>
audit on Singularity 2.6.0 to see if it could be packaged for SuSE:<br>
<a href="https://www.openwall.com/lists/oss-security/2018/12/12/2" rel="noreferrer" target="_blank">https://www.openwall.com/lists/oss-security/2018/12/12/2</a><br>
The quotes I used on the slide for my talk came from comments he made in<br>
the linked SuSE Bugzilla bug -- which, for unknown reasons, was<br>
re-locked by SuSE after previously being unlocked once the bug report<br>
was public! -- regarding whether or not, and under what constraints, to<br>
include and support Singularity on SuSE. Matthias is a widely respected<br>
security expert in the OSS community, so I trust his assessment and<br>
insight. And his audit alone found 5 or 6 CVE-worthy vulnerabilities at<br>
once.<br>
<br>
Additionally, as I mentioned in the video, during the 3-year period<br>
2016-2018, there were at least 17 different vulnerabilities found in<br>
Singularity. Also, of the 9 releases they did during 2018, 7 of those<br>
were security releases to fix vulnerabilities (and frequently more than<br>
1 at a time). That's...not great. Especially in an environment like<br>
ours where saying "security is important" is an understatement of<br>
nuclear proportions! ;-)<br>
<br>
And finally, while we were hopeful that the rewrite in Go (version 3.0<br>
and above) would correct the security failings in the code, there've<br>
already been multiple serious vulnerabilities (all grouped together<br>
under a single CVE identifier, CVE-2019-11328), at least one of which<br>
was essentially a replica of one of the flaws fixed in 2.6.0 under<br>
CVE-2018-12021! And you don't need to take my word for it, either:<br>
<a href="https://www.openwall.com/lists/oss-security/2019/05/16/1" rel="noreferrer" target="_blank">https://www.openwall.com/lists/oss-security/2019/05/16/1</a><br>
<br>
It's hard to say if the above trend will continue...but not all sites<br>
can afford to take those kinds of risks.<br>
<br>
And while Shifter's security track record is spotless to date, I would<br>
still summarize the overall lesson to be learned as, "Don't use<br>
privileged container runtimes. Use user namespaces. That's what<br>
they're there for." And before anyone yells at me, yes I know<br>
Singularity advertises user namespace support and non-setuid operation.<br>
But it doesn't seem to be very widely used or adequately exercised, and<br>
AFAICT the default mode of operation in both RPMs and build-from-src is<br>
via setuid binaries. So using a natively unprivileged runtime still<br>
seems the less risky choice, in my personal assessment.<br>
<br>
Yes, I know that was more than a "2-3 sentence nutshell," but hopefully<br>
it was helpful anyway! :-)<br>
<br>
Michael<br>
<br>
-- <br>
Michael E. Jennings <<a href="mailto:mej@lanl.gov" target="_blank">mej@lanl.gov</a>><br>
HPC Systems Team, Los Alamos National Laboratory<br>
Bldg. 03-2327, Rm. 2341 W: +1 (505) 606-0605<br>
</blockquote></div>