Volume Mount With OS Directory Write Permissions

Query id: a62a99d1-8196-432f-8f80-3c100b05d62a
Query name: Volume Mount With OS Directory Write Permissions
Platform: Terraform
Severity: High
Category: Resource Management
CWE: 284
URL: Github

Description¶

Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - tf file

Positive test num. 2 - tf file

Positive test num. 3 - tf file

id="__codelineno-0-1" name="__codelineno-0-1" href="#__codelineno-0-1">resource "kubernetes_pod" "test" { metadata { name = "terraform-example" } spec { container { class="w"> volume_mount { name = "config-volume" mount_path = "/bin" } image = "nginx:1.7.9" name = "example" env { name = "environment" value = "test" } port { container_port = 8080 } liveness_probe { http_get { path = "/nginx_status" port = 80 http_header { name = "X-Custom-Header" value = "Awesome" } } initial_delay_seconds = 3 period_seconds = 3 } } dns_config { nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] searches = ["example.com"] option { name = "ndots" value = 1 } option { name = "use-vc" } } dns_policy = "None" } } id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1">resource "kubernetes_pod" "test2" { metadata { name = "terraform-example" } spec { container { volume_mount { name = "config-volume" mount_path = "/bin" class="w"> read_only = false } image = "nginx:1.7.9" name = "example" env { name = "environment" value = "test" } port { container_port = 8080 } liveness_probe { http_get { path = "/nginx_status" port = 80 http_header { name = "X-Custom-Header" value = "Awesome" } } initial_delay_seconds = 3 period_seconds = 3 } } dns_config { nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] searches = ["example.com"] option { name = "ndots" value = 1 } option { name = "use-vc" } } dns_policy = "None" } } id="__codelineno-2-1" name="__codelineno-2-1" href="#__codelineno-2-1">resource "kubernetes_pod" "test3" { metadata { name = "terraform-example" } spec { container { volume_mount = [ { name = "config-volume" mount_path = "/bin" class="w"> read_only = false } ] image = "nginx:1.7.9" name = "example" env { name = "environment" value = "test" } port { container_port = 8080 } liveness_probe { http_get { path = "/nginx_status" port = 80 http_header { name = "X-Custom-Header" value = "Awesome" } } initial_delay_seconds = 3 period_seconds = 3 } } dns_config { nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] searches = ["example.com"] option { name = "ndots" value = 1 } option { name = "use-vc" } } dns_policy = "None" } }

Code samples without security vulnerabilities¶

Negative test num. 1 - tf file

resource "kubernetes_pod" "testttt" {
  metadata {
    name = "terraform-example"
  }

  spec {
    container {
      volume_mount {
        name       = "config-volume"
        mount_path = "/etc/config"
        read_only  = true
      }

      image = "nginx:1.7.9"
      name  = "example"

      env {
        name  = "environment"
        value = "test"
      }

      port {
        container_port = 8080
      }

      liveness_probe {
        http_get {
          path = "/nginx_status"
          port = 80

          http_header {
            name  = "X-Custom-Header"
            value = "Awesome"
          }
        }

        initial_delay_seconds = 3
        period_seconds        = 3
      }
    }

    dns_config {
      nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"]
      searches    = ["example.com"]

      option {
        name  = "ndots"
        value = 1
      }

      option {
        name = "use-vc"
      }
    }

    dns_policy = "None"
  }
}