Why `Prevent containers from accessing host files by using high UIDs` request uid > 10 000

Question

Why `Prevent containers from accessing host files by using high UIDs` request uid > 10 000

Socolin opened this issue a year ago · comments

Hello,

About this rule: https://hub.datree.io/built-in-rules/prevent-uid-conflicts

Why is it requiring > 10 000 and not 1 000 ? on unix the UID for the user account start at 1 000 by default https://linux.die.net/man/8/adduser

Values between 0 and 999 are typically reserved for system accounts.

The value 1 000 is also used in examples here

https://github.com/datreeio/datree/blob/0182bab534acec48ce7f14a256e60f4b17c05aa6/examples/security-best-practices/pass.yaml
It feels strange to enforce a value that large.

hadar-co · Answer 1 · Wed Mar 08 2023 19:14:26 GMT+0800 (China Standard Time)

Hi @Socolin, this is considered a best-practice by many security-focused entities. The aim is to provide a buffer in order to avoid conflicts with the host's user table, and this is agreed-upon as a reasonable buffer.
The security perspective is that even with other UIDs, we risk impersonating another user on the host system if the container is compromised. To drastically reduce the probability, configured users should only start from UID 10,000.

Some references:

Socolin · Answer 2 · Wed Mar 08 2023 22:34:26 GMT+0800 (China Standard Time)

Thanks for the explanation.

I would have expect this to be handle by namespace, from what I see there is a user namespace in k8s now
https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces

hadar-co · Answer 3 · Thu Mar 09 2023 16:16:47 GMT+0800 (China Standard Time)

Yes, looks like user namespaces will mitigate this security risk, but this feature is only available in v1.25, so this rule is relevant to all earlier versions 👍

Socolin · Answer 4 · Thu Mar 09 2023 22:20:41 GMT+0800 (China Standard Time)

Is there a way to specify the version used to datree to ignore this warning ?

Eyar Zilberman · Answer 5 · Fri Mar 10 2023 21:43:31 GMT+0800 (China Standard Time)

you can just turn off (disable) this rule and this way it will not run:
https://hub.datree.io/dashboard/policies#customizing-a-policy

Socolin · Answer 6 · Fri Mar 10 2023 23:23:00 GMT+0800 (China Standard Time)

Is there any way to disable this with a file, in like ~/.config/datree/ or something like that to avoid adding annotation on every resources ? I'm using datree without an account (and I would like to avoid having a new secret to manage in the pipeline) so I don't have acces to this UI

Adi Fayer · Answer 7 · Sun Mar 12 2023 16:21:27 GMT+0800 (China Standard Time)

Hi @Socolin
You can skip a certain rule by adding the cli skip annotation. Here's a link to the docs: https://hub.datree.io/configuration/behavior#skip-specific-rules-for-a-single-object

github-actions · Answer 8 · Wed Apr 12 2023 09:51:28 GMT+0800 (China Standard Time)

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.