[Podman] Re: pathless execution of iptables

On Thu, Jan 23, 2020 at 13:17 Julen Landa Alustiza wrote: > Good morning everyone > > I'm using duply on my homelab backup system and noticed today that when > I include a podman run blablabla on a pre script, this is trying to call > 'iptables' without any path, and results that duply does not add > /usr/sbin to the $PATH on the pre scripts execution environment when is > executed as root, so the iptables call ends with an error: > > Output: time="2020-01-23T02:00:02+01:00" level=error msg="Error adding > network: failed to locate iptables: exec: \"iptables\": executable file > not found in $PATH" > time="2020-01-23T02:00:02+01:00" level=error msg="Error while adding pod > to CNI network \"podman\": failed to locate iptables: exec: > \"iptables\": executable file not found in $PATH" > Error: error configuring network namespace for container > fbaad57e6a9d1894624b67cb2f3e9d8483af56bf71680befabfbb85fd589e640: failed > to locate iptables: exec: "iptables": executable file not found in $PATH > > So I'm asking here... should we rely on $PATH to reach iptables > executable, or hardcode /usr/sbin as it path? If an attacker managed to > alter my $PATH, could open an attack vector due to this $PATH thing and > use a malicious iptables located on a different path with higher > precedence on my $PATH ? > If one can change your PATH, then you could be using a malicious podman, rendering the hardcoded /usr/sbin not enough... Perhaps podman could append /usr/sbin to the PATH if it's not already there ? -Tristan _______________________________________________ Podman mailing list -- podman(a)lists.podman.io To unsubscribe send an email to podman-leave(a)lists.podman.io