Skip to content

Commit

Permalink
Ensure that we appropriately warn that TCP is insecure
Browse files Browse the repository at this point in the history
`podman system service` + TCP is not a configuration we should be
recommending. There was already language about this in the
manpages, but it was not sufficient in explaining how bad of an
idea this is. Expand the manpage warnings, add a dedicated
heading so people notice, and add a warning every time the
service starts with a TCP URL that directs people to the manpage
to see that explanation.

Signed-off-by: Matt Heon <[email protected]>
  • Loading branch information
mheon authored and ashley-cui committed Jul 20, 2023
1 parent 0115a48 commit 09b1da3
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 4 deletions.
6 changes: 6 additions & 0 deletions cmd/podman/system/service_abi.go
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,12 @@ func restService(flags *pflag.FlagSet, cfg *entities.PodmanConfig, opts entities
}
}
case "tcp":
// We want to check if the user is requesting a TCP address.
// If so, warn that this is insecure.
// Ignore errors here, the actual backend code will handle them
// better than we can here.
logrus.Warnf("Using the Podman API service with TCP sockets is not recommended, please see `podman system service` manpage for details")

host := uri.Host
if host == "" {
// For backward compatibility, support "tcp:<host>:<port>" and "tcp://<host>:<port>"
Expand Down
11 changes: 8 additions & 3 deletions docs/source/markdown/podman-system-service.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -66,9 +66,14 @@ To access the API service inside a container:
- mount the socket as a volume
- run the container with `--security-opt label=disable`

Please note that the API grants full access to Podman's capabilities, and allows arbitrary code execution as the user running the API.
We strongly recommend against making the API socket available via the network.
The default configuration (a Unix socket with permissions set to only allow the user running Podman) is the most secure way of running the API.
### Security

Please note that the API grants full access to all Podman functionality, and thus allows arbitrary code execution as the user running the API, with no ability to limit or audit this access.
The API's security model is built upon access via a Unix socket with access restricted via standard file permissions, ensuring that only the user running the service will be able to access it.
We *strongly* recommend against making the API socket available via the network (IE, bindings the service to a *tcp* URL).
Even access via Localhost carries risks - anyone with access to the system will be able to access the API.
If remote access is required, we instead recommend forwarding the API socket via SSH, and limiting access on the remote machine to the greatest extent possible.
If a *tcp* URL must be used, using the *--cors* option is recommended to improve security.

## OPTIONS

Expand Down
7 changes: 6 additions & 1 deletion test/system/271-tcp-cors-server.bats
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,18 @@ SOCKET_FILE="$UNIT_DIR/$SERVICE_NAME.socket"
@test "podman system service - tcp CORS" {
skip_if_remote "system service tests are meaningless over remote"
PORT=$(random_free_port 63000-64999)
$PODMAN system service --cors="*" tcp:$SERVICE_TCP_HOST:$PORT -t 20 &
log=${PODMAN_TMPDIR}/system-service.log
$PODMAN system service --cors="*" tcp:$SERVICE_TCP_HOST:$PORT -t 20 2> $log &
podman_pid="$!"
sleep 5s
run curl -s --max-time 10 -vvv $SERVICE_TCP_HOST:$PORT/_ping 2>&1
is "$output" ".*< Access-Control-Allow-Origin: \*.*" "access-control-allow-origin verifies CORS is set"
kill $podman_pid
wait $podman_pid || true

# Running server over TCP is a bad idea. We should see a warning
assert "$(< $log)" =~ "Using the Podman API service with TCP sockets" \
"podman warns about server on TCP"
}

@test "podman system service - tcp without CORS" {
Expand Down

0 comments on commit 09b1da3

Please sign in to comment.