On 1/23/20 2:23 PM, Tristan Cacqueray wrote:
On Thu, Jan 23, 2020 at 13:17 Julen Landa Alustiza wrote:
> Good morning everyone
> I'm using duply on my homelab backup system and noticed today that when
> I include a podman run blablabla on a pre script, this is trying to call
> 'iptables' without any path, and results that duply does not add
> /usr/sbin to the $PATH on the pre scripts execution environment when is
> executed as root, so the iptables call ends with an error:
> Output: time="2020-01-23T02:00:02+01:00" level=error msg="Error adding
> network: failed to locate iptables: exec: \"iptables\": executable file
> not found in $PATH"
> time="2020-01-23T02:00:02+01:00" level=error msg="Error while adding
> to CNI network \"podman\": failed to locate iptables: exec:
> \"iptables\": executable file not found in $PATH"
> Error: error configuring network namespace for container
> fbaad57e6a9d1894624b67cb2f3e9d8483af56bf71680befabfbb85fd589e640: failed
> to locate iptables: exec: "iptables": executable file not found in $PATH
> So I'm asking here... should we rely on $PATH to reach iptables
> executable, or hardcode /usr/sbin as it path? If an attacker managed to
> alter my $PATH, could open an attack vector due to this $PATH thing and
> use a malicious iptables located on a different path with higher
> precedence on my $PATH ?
If one can change your PATH, then you could be using a malicious podman,
rendering the hardcoded /usr/sbin not enough...
Perhaps podman could append /usr/sbin to the PATH if it's not already
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
I don't believe podman is executing iptables directly, this is coming
from the CNI PLugins, I believe.