On 1/23/20 2:23 PM, Tristan Cacqueray wrote:
On Thu, Jan 23, 2020 at 13:17 Julen Landa Alustiza wrote:
Good morning everyone

I'm using duply on my homelab backup system and noticed today that when 
I include a podman run blablabla on a pre script, this is trying to call 
'iptables' without any path, and results that duply does not add 
/usr/sbin to the $PATH on the pre scripts execution environment when is 
executed as root, so the iptables call ends with an error:

Output: time="2020-01-23T02:00:02+01:00" level=error msg="Error adding 
network: failed to locate iptables: exec: \"iptables\": executable file 
not found in $PATH"
time="2020-01-23T02:00:02+01:00" level=error msg="Error while adding pod 
to CNI network \"podman\": failed to locate iptables: exec: 
\"iptables\": executable file not found in $PATH"
Error: error configuring network namespace for container 
fbaad57e6a9d1894624b67cb2f3e9d8483af56bf71680befabfbb85fd589e640: failed 
to locate iptables: exec: "iptables": executable file not found in $PATH

So I'm asking here... should we rely on $PATH to reach iptables 
executable, or hardcode /usr/sbin as it path? If an attacker managed to 
alter my $PATH, could open an attack vector due to this $PATH thing and 
use a malicious iptables located on a different path with higher 
precedence on my $PATH ?

If one can change your PATH, then you could be using a malicious podman,
rendering the hardcoded /usr/sbin not enough...
Perhaps podman could append /usr/sbin to the PATH if it's not already
there ?

-Tristan

_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io

I don't believe podman is executing iptables directly, this is coming from the CNI PLugins, I believe.