From 09b1da382f490341e1774dca485ca1de4f118f17 Mon Sep 17 00:00:00 2001 From: Matt Heon Date: Thu, 20 Jul 2023 11:42:27 -0400 Subject: [PATCH] Ensure that we appropriately warn that TCP is insecure `podman system service` + TCP is not a configuration we should be recommending. There was already language about this in the manpages, but it was not sufficient in explaining how bad of an idea this is. Expand the manpage warnings, add a dedicated heading so people notice, and add a warning every time the service starts with a TCP URL that directs people to the manpage to see that explanation. Signed-off-by: Matt Heon --- cmd/podman/system/service_abi.go | 6 ++++++ docs/source/markdown/podman-system-service.1.md | 11 ++++++++--- test/system/271-tcp-cors-server.bats | 7 ++++++- 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/cmd/podman/system/service_abi.go b/cmd/podman/system/service_abi.go index db4a08f5d5..6c2d9bf44b 100644 --- a/cmd/podman/system/service_abi.go +++ b/cmd/podman/system/service_abi.go @@ -81,6 +81,12 @@ func restService(flags *pflag.FlagSet, cfg *entities.PodmanConfig, opts entities } } case "tcp": + // We want to check if the user is requesting a TCP address. + // If so, warn that this is insecure. + // Ignore errors here, the actual backend code will handle them + // better than we can here. + logrus.Warnf("Using the Podman API service with TCP sockets is not recommended, please see `podman system service` manpage for details") + host := uri.Host if host == "" { // For backward compatibility, support "tcp::" and "tcp://:" diff --git a/docs/source/markdown/podman-system-service.1.md b/docs/source/markdown/podman-system-service.1.md index d039f48ccb..a7591cca65 100644 --- a/docs/source/markdown/podman-system-service.1.md +++ b/docs/source/markdown/podman-system-service.1.md @@ -66,9 +66,14 @@ To access the API service inside a container: - mount the socket as a volume - run the container with `--security-opt label=disable` -Please note that the API grants full access to Podman's capabilities, and allows arbitrary code execution as the user running the API. -We strongly recommend against making the API socket available via the network. -The default configuration (a Unix socket with permissions set to only allow the user running Podman) is the most secure way of running the API. +### Security + +Please note that the API grants full access to all Podman functionality, and thus allows arbitrary code execution as the user running the API, with no ability to limit or audit this access. +The API's security model is built upon access via a Unix socket with access restricted via standard file permissions, ensuring that only the user running the service will be able to access it. +We *strongly* recommend against making the API socket available via the network (IE, bindings the service to a *tcp* URL). +Even access via Localhost carries risks - anyone with access to the system will be able to access the API. +If remote access is required, we instead recommend forwarding the API socket via SSH, and limiting access on the remote machine to the greatest extent possible. +If a *tcp* URL must be used, using the *--cors* option is recommended to improve security. ## OPTIONS diff --git a/test/system/271-tcp-cors-server.bats b/test/system/271-tcp-cors-server.bats index 7282050a5c..834beecd61 100644 --- a/test/system/271-tcp-cors-server.bats +++ b/test/system/271-tcp-cors-server.bats @@ -16,13 +16,18 @@ SOCKET_FILE="$UNIT_DIR/$SERVICE_NAME.socket" @test "podman system service - tcp CORS" { skip_if_remote "system service tests are meaningless over remote" PORT=$(random_free_port 63000-64999) - $PODMAN system service --cors="*" tcp:$SERVICE_TCP_HOST:$PORT -t 20 & + log=${PODMAN_TMPDIR}/system-service.log + $PODMAN system service --cors="*" tcp:$SERVICE_TCP_HOST:$PORT -t 20 2> $log & podman_pid="$!" sleep 5s run curl -s --max-time 10 -vvv $SERVICE_TCP_HOST:$PORT/_ping 2>&1 is "$output" ".*< Access-Control-Allow-Origin: \*.*" "access-control-allow-origin verifies CORS is set" kill $podman_pid wait $podman_pid || true + + # Running server over TCP is a bad idea. We should see a warning + assert "$(< $log)" =~ "Using the Podman API service with TCP sockets" \ + "podman warns about server on TCP" } @test "podman system service - tcp without CORS" {