Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The default of allow_privilege_escalation should be False #544

Closed
2 tasks
consideRatio opened this issue Nov 12, 2021 · 0 comments · Fixed by #545
Closed
2 tasks

The default of allow_privilege_escalation should be False #544

consideRatio opened this issue Nov 12, 2021 · 0 comments · Fixed by #545

Comments

@consideRatio
Copy link
Member

consideRatio commented Nov 12, 2021
edited
Loading

Suggested changes

  • We should support having allow_privilege_escalation be None, True, or False.
    • None should mean it won't be set explicitly
    • True/False should mean it will be set explicitly.
  • We should make the default value of allow_privilege_escalation be False
    Currently the default value is True but behaves as None.

Current situation

Currently, we the default value of allow_privilege_escalation is True, and we don't allow the value to be None.

kubespawner/kubespawner/spawner.py

Lines 915 to 927 in fdfa2ad

allow_privilege_escalation = Bool(
True,
config=True,
help="""
Controls whether a process can gain more privileges than its parent process.
This bool directly controls whether the no_new_privs flag gets set on the container
process.
AllowPrivilegeEscalation is true always when the container is:
1) run as Privileged OR 2) has CAP_SYS_ADMIN.
""",
)

Currently, our logic is to treat True as a None value should and would be treated. I consider this a bug. The current behaviour is as if the default value was None, because our logic here makes us not explicitly set it.

kubespawner/kubespawner/objects.py

Lines 427 to 428 in fdfa2ad

if not allow_privilege_escalation: # true as default
csc["allowPrivilegeEscalation"] = False

I consider this a bug because there is a difference between True and None in case there is a PodSecurityPolicy resource in the k8s cluster that has a DefaultAllowPrivilegeEscalation set to False. See https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation for some details about this.

Background

Root escalation is one required step towards doing bad things, to default to preventing it by default is to put another barrier up against something problematic like https://www.wiz.io/blog/chaosdb-explained-azures-cosmos-db-vulnerability-walkthrough.
yuvipanda added a commit to yuvipanda/kubespawner that referenced this issue Nov 15, 2021
@yuvipanda
Default allow_privilege_escalation to False
f45fc60 
Allows it to be set to None as well, to not set the property.

This is a breaking change for hubs where admins were granting
sudo rights to users. That already required some extra work,
so this would be an additional propety to set for that. The
added security benefit from this much more secure default is
well worth the breakage IMO.

Fixes jupyterhub#544
@yuvipanda yuvipanda mentioned this issue Nov 15, 2021
Merged
yuvipanda added a commit to yuvipanda/kubespawner that referenced this issue Nov 15, 2021
@yuvipanda
Default allow_privilege_escalation to False
4258795 
Allows it to be set to None as well, to not set the property.

This is a breaking change for hubs where admins were granting
sudo rights to users. That already required some extra work,
so this would be an additional propety to set for that. The
added security benefit from this much more secure default is
well worth the breakage IMO.

Fixes jupyterhub#544
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Default allow_privilege_escalation to False yuvipanda/kubespawner
1 participant
@consideRatio