Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY] Transversal data access unallowed can occurs silently. #9434

Closed
Yivan opened this issue May 2, 2022 · 2 comments · Fixed by compose-spec/compose-go#261
Closed

[SECURITY] Transversal data access unallowed can occurs silently. #9434

Yivan opened this issue May 2, 2022 · 2 comments · Fixed by compose-spec/compose-go#261

Comments

@Yivan
Copy link

Yivan commented May 2, 2022

Description of the issue

Mounting volume can lead a compose stack to access to another compose stack volume, totally silently to the docker administrator. this can lead to accessing to data not allowed for the other stack.
(previous issue has been closed without any review on your part - #8250, so I hopened it again here, sorry for the inconveniance, but I don't understand why it is not processed has this is an easily reproductible problem with information I gave. Thanks.).

Context information (for bug reports)

Output of docker-compose version

docker-compose version 1.28.6, build 5db8d86f
docker-py version: 4.4.4
CPython version: 3.7.10
OpenSSL version: OpenSSL 1.1.0l  10 Sep 2019

Output of docker version

Client: Docker Engine - Community
 Version:           20.10.5
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        55c4c88
 Built:             Tue Mar  2 20:17:50 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.5
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       363e9a8
  Built:            Tue Mar  2 20:15:47 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.4
  GitCommit:        05f951a3781f4f2c1911b05e61c160e9c30eaa8e
 runc:
  Version:          1.0.0-rc93
  GitCommit:        12644e614e25b05da6fd08a38ffa0cfe1903fdec
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Output of docker-compose config
(Make sure to add the relevant -f and other flags)

services:
  myservice:
    command: tail -f /dev/null
    image: alpine
    volumes:
    - myvolume:/mydatas:rw
version: '3.7'
volumes:
  myvolume: {}

Steps to reproduce the issue

Order is very important here, myproject should be started before my-project.

  1. docker-compose -f compose.yml -p myproject up -d
  2. docker exec myproject_myservice_1 touch /mydatas/secret.txt
  3. docker-compose -f compose.yml -p my-project up -d
  4. docker exec my-project_myservice_2 ls /mydatas
    Secret file is visible by the second project!

Observed result

We can only see myproject_myvolume which is used by both stack.
The same volume is mounted on both stack. my-project has access to the file created for myproject.
my-project use volume myproject_myvolume, but it should be my-project_myvolume which should have been created.

If the stack my-project is runned first my-project_myvolume is well created.

How to check:

  1. docker-compose -f compose.yml -p my-project down
  2. docker-compose -f compose.yml -p myproject down
  3. docker volume rm myproject_myvolume
  4. docker-compose -f compose.yml -p my-project up -d
  5. docker volume ls
    We can see my-project_myvolume has been created, here the name is good.

Expected result

It is esxpect that myproject_myvolume and my-project_myvolume are created when i first start the stack myproject and after the stack my-project. Behavious and volume name must not differ depending order of runned composer up commands.

Stacktrace / full error message

N/A

Additional information

I already created some times ago an issue to report the problem but it never get attention (#6904), so I closed this one, hoping this new one will be studied.
I hope it could be fixed as it leads to security concern and strange behaviour in case projet name differs from only a dash and the one without dash is started first.

For pratical use case, we encounter serious problem with project having just a name like "myproject" and the other one "my-project" and the volume was database, leading to the project "my-prject" to use the "myproject" database... pretty hard bug. Hopefully it was in testing environment, but for production environment it could be desastrous.

A malicious user could use this tricky behaviour to access data of another stack.

Tested on Debian buster, official repositories, all up to date, including docker and docker compose.

Thanks!
@ndeloof
Copy link
Contributor

ndeloof commented May 17, 2022

Project name explicitly set by user using --project-name is actually converted to remove some characters, but should have been rejected. This triggers resource naming conflicts, that I would not classify as "security issue" but definitively an usability issue we have to address.

@ndeloof ndeloof mentioned this issue May 17, 2022
Merged
@ndeloof
Copy link
Contributor

ndeloof commented May 17, 2022

I tried to reproduce with your scenario, and I get distinct volume created depending on project name:
docker-compose -f compose.yml -p my-project up => my-project_myvolume
docker-compose -f compose.yml -p myproject up => myproject_myvolume

so, collision doesn't occur.
did I miss something?

@glours glours mentioned this issue Jul 27, 2022
Closed
This was referenced Feb 24, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Check an explicit project name is valid ndeloof/compose-go
2 participants
@ndeloof @Yivan