Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cp, save and export allow replacing irregular files #1514

Closed
sw-pschmied opened this issue Nov 13, 2018 · 0 comments · Fixed by #1515
Closed

cp, save and export allow replacing irregular files #1514

sw-pschmied opened this issue Nov 13, 2018 · 0 comments · Fixed by #1515
Labels
area/distribution

Comments

@sw-pschmied
Copy link
Contributor

Description

The docker commands cp, save and export allow replacing irregular files - e.g. devices under /dev. Please see the following screenshot to demonstrate this misbehaviour:

docker-dev-random

As you can see, the device /dev/random was replaced with a file containing the saved docker image. This was originally discovered when executing docker save <image> -o /dev/null when performing tests, only to find out that applications relying on the /dev/null device are misbehaving.

While I think there's no valid use-case for this behaviour the best solution would be to disallow irregular files for the commands mentioned above. This prevents people from accidentally damaging parts of their system.

A PR regarding this is on its way.

Steps to reproduce the issue:

  1. Pull an arbitrary docker image: docker pull ubuntu:latest
  2. Save the pulled image to a file using the -o option: docker save ubuntu:latest -o /dev/random
  3. Confirm that the device itself has been replaced with a regular file: stat /dev/random shows regular file instead of character special file.

Describe the results you received:

The device/irregular file has been replaced with the output of cp/export/save

Describe the results you expected:

Replacing devices/irregular files should be prevented by the CLI to prevent system damage.

Output of docker version:

Docker version 19.03.0-dev, build 374b480e

Output of docker info:

Containers: 1
 Running: 0
 Paused: 0
 Stopped: 1
Images: 187
Server Version: 17.12.1-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9b55aab90508bd389d7654c4baf173a981477d55
runc version: 9f9c96235cc97674e935002fc3d78361b696a69e
init version: v0.13.0 (expected: 949e6facb77383876aeff8a6944dde66b3089574)
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: [...]
Operating System: Ubuntu 18.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 15.55GiB
Name: [...]
ID: CR7L:OCP4:IZ76:VHOD:ZCDV:PLTN:QKYD:D7TV:OYKN:3QB5:TQTN:QCAK
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/distribution
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Prevent overwriting irregular files (cp, save, export commands) sw-pschmied/cli
2 participants
@GordonTheTurtle @sw-pschmied