Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security review: warn if NOT --pull-policy=always in container #2222

Closed
1 task
natalieparellano opened this issue Apr 23, 2024 · 1 comment · Fixed by buildpacks/pack-private#31
Closed
1 task

Security review: warn if NOT --pull-policy=always in container #2222

natalieparellano opened this issue Apr 23, 2024 · 1 comment · Fixed by buildpacks/pack-private#31
Assignees
@natalieparellano

Comments

@natalieparellano
Copy link
Member

natalieparellano commented Apr 23, 2024
edited
Loading

Description

In the security review, this is HIGH-1: Host compromise by overwriting trusted container images. The action plan asks us to ensure that

The CNB platform should prevent users from creating final application images having the same tags as trusted builders or as the trusted lifecycle image used when building applications

The underlying root cause of the vulnerability is using a shared docker daemon as a source and sink for builds (vs the registry, where namespace permissions prevent unauthorized writes).

Proposed solution

If we detect that pack is running in a container, we should warn if NOT --pull-policy=always. The warning message should mention that this configuration is insecure and that support may be removed in the future.

Describe alternatives you've considered

Related issue:#2223.

Additional context

  • This feature should be documented somewhere
@natalieparellano natalieparellano mentioned this issue Jul 17, 2024
Closed
1 task
@natalieparellano natalieparellano changed the title Security review: warn if --pull-policy=always or --publish=true in container Security review: warn if --pull-policy=always and --publish=true in container May 2, 2024
@natalieparellano natalieparellano changed the title Security review: warn if --pull-policy=always and --publish=true in container Security review: warn if NOT (--pull-policy=always or --publish=true) in container May 2, 2024
@natalieparellano natalieparellano changed the title Security review: warn if NOT (--pull-policy=always or --publish=true) in container Security review: warn if NOT --pull-policy=always in container May 2, 2024
@natalieparellano
Copy link
Member Author

Note: previous versions of this issue mentioned checking that --publish=true. But that only prevents the current invocation from polluting the daemon for future invocations. To ensure the current invocation is safe, we only need to care about the pull policy.

@natalieparellano natalieparellano mentioned this issue May 2, 2024
Merged
@natalieparellano natalieparellano self-assigned this Jul 1, 2024
@natalieparellano natalieparellano transferred this issue from buildpacks/pack-private Jul 17, 2024
@natalieparellano natalieparellano mentioned this issue Jul 17, 2024
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@natalieparellano natalieparellano

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Warn if NOT --pull-policy=always in container buildpacks/pack-private
1 participant
@natalieparellano