symlinks not checked during alloc migration #19887
Comments
tgross
added a commit
that referenced
this issue
Feb 8, 2024
During allocation directory migration, the client was not checking that any symlinks in the archive aren't pointing to somewhere outside the allocation directory. While task driver sandboxing will protect against processes inside the task from reading/writing thru the symlink, this doesn't protect against the client itself from performing unintended operations outside the sandbox. This changeset includes two changes: * Update the archive unpacking to check the source of symlinks and require that they fall within the sandbox. * Fix a bug in the symlink check where it was using `filepath.Rel` which doesn't work for paths in the sibling directories of the sandbox directory. This bug doesn't appear to be exploitable but caused errors in testing. Fixes: #19887
|
I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues. |
# for free
to subscribe to this conversation on GitHub.
Already have an account?
#.
A bug was fixed in allocation directory migration. The Nomad client did not check that any symlinks in the archive pointed outside the allocation directory. While task driver sandboxing will protect against processes inside the task from reading/writing through the symlink, this doesn't protect against the client itself from performing unintended operations outside the sandbox, such as the template-based attack described in #19888
The text was updated successfully, but these errors were encountered: