Volume Mount With OS Directory Write Permissions
- Query id: a62a99d1-8196-432f-8f80-3c100b05d62a
- Query name: Volume Mount With OS Directory Write Permissions
- Platform: Terraform
- Severity: High
- Category: Resource Management
- CWE: 284
- Risk score: 8.0
- URL: Github
Description¶
Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "kubernetes_pod" "test10" {
metadata {
name = "terraform-example"
}
spec {
container {
volume_mount {
name = "config-volume1"
mount_path = "/bin"
}
image = "nginx:1.7.9"
name = "example1"
env {
name = "environment"
value = "test"
}
port {
container_port = 8080
}
liveness_probe {
http_get {
path = "/nginx_status"
port = 80
http_header {
name = "X-Custom-Header"
value = "Awesome"
}
}
initial_delay_seconds = 3
period_seconds = 3
}
}
dns_config {
nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"]
searches = ["example.com"]
option {
name = "ndots"
value = 1
}
option {
name = "use-vc"
}
}
dns_policy = "None"
}
}
resource "kubernetes_pod" "test11" {
metadata {
name = "terraform-example"
}
spec {
container {
volume_mount {
name = "config-volume2"
mount_path = "/bin"
}
image = "nginx:1.7.9"
name = "example2"
env {
name = "environment"
value = "test"
}
port {
container_port = 8080
}
liveness_probe {
http_get {
path = "/nginx_status"
port = 80
http_header {
name = "X-Custom-Header"
value = "Awesome"
}
}
initial_delay_seconds = 3
period_seconds = 3
}
}
container {
volume_mount {
name = "config-volume3"
mount_path = "/bin"
}
image = "nginx:1.7.9"
name = "example3"
env {
name = "environment"
value = "test"
}
port {
container_port = 8080
}
liveness_probe {
http_get {
path = "/nginx_status"
port = 80
http_header {
name = "X-Custom-Header"
value = "Awesome"
}
}
initial_delay_seconds = 3
period_seconds = 3
}
}
dns_config {
nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"]
searches = ["example.com"]
option {
name = "ndots"
value = 1
}
option {
name = "use-vc"
}
}
dns_policy = "None"
}
}
resource "kubernetes_pod" "test12" {
metadata {
name = "terraform-example"
}
spec {
container {
volume_mount {
name = "config-volume4"
mount_path = "/bin"
}
volume_mount {
name = "config-volume5"
mount_path = "/bin"
}
image = "nginx:1.7.9"
name = "example4"
env {
name = "environment"
value = "test"
}
port {
container_port = 8080
}
liveness_probe {
http_get {
path = "/nginx_status"
port = 80
http_header {
name = "X-Custom-Header"
value = "Awesome"
}
}
initial_delay_seconds = 3
period_seconds = 3
}
}
container {
image = "nginx:1.7.9"
name = "example5"
env {
name = "environment"
value = "test"
}
port {
container_port = 8080
}
liveness_probe {
http_get {
path = "/nginx_status"
port = 80
http_header {
name = "X-Custom-Header"
value = "Awesome"
}
}
initial_delay_seconds = 3
period_seconds = 3
}
}
dns_config {
nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"]
searches = ["example.com"]
option {
name = "ndots"
value = 1
}
option {
name = "use-vc"
}
}
dns_policy = "None"
}
}
resource "kubernetes_pod" "test13" {
metadata {
name = "terraform-example"
}
spec {
container {
volume_mount {
name = "config-volume6"
mount_path = "/bin"
}
volume_mount {
name = "config-volume7"
mount_path = "/bin"
}
image = "nginx:1.7.9"
name = "example6"
env {
name = "environment"
value = "test"
}
port {
container_port = 8080
}
liveness_probe {
http_get {
path = "/nginx_status"
port = 80
http_header {
name = "X-Custom-Header"
value = "Awesome"
}
}
initial_delay_seconds = 3
period_seconds = 3
}
}
dns_config {
nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"]
searches = ["example.com"]
option {
name = "ndots"
value = 1
}
option {
name = "use-vc"
}
}
dns_policy = "None"
}
}
Positive test num. 2 - tf file
resource "kubernetes_pod" "test20" {
metadata {
name = "terraform-example"
}
spec {
container {
volume_mount {
name = "config-volume1"
mount_path = "/bin"
read_only = false
}
image = "nginx:1.7.9"
name = "example1"
env {
name = "environment"
value = "test"
}
port {
container_port = 8080
}
liveness_probe {
http_get {
path = "/nginx_status"
port = 80
http_header {
name = "X-Custom-Header"
value = "Awesome"
}
}
initial_delay_seconds = 3
period_seconds = 3
}
}
dns_config {
nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"]
searches = ["example.com"]
option {
name = "ndots"
value = 1
}
option {
name = "use-vc"
}
}
dns_policy = "None"
}
}
resource "kubernetes_pod" "test21" {
metadata {
name = "terraform-example"
}
spec {
container {
volume_mount {
name = "config-volume2"
mount_path = "/bin"
read_only = false
}
image = "nginx:1.7.9"
name = "example2"
env {
name = "environment"
value = "test"
}
port {
container_port = 8080
}
liveness_probe {
http_get {
path = "/nginx_status"
port = 80
http_header {
name = "X-Custom-Header"
value = "Awesome"
}
}
initial_delay_seconds = 3
period_seconds = 3
}
}
container {
volume_mount {
name = "config-volume3"
mount_path = "/bin"
read_only = false
}
image = "nginx:1.7.9"
name = "example3"
env {
name = "environment"
value = "test"
}
port {
container_port = 8080
}
liveness_probe {
http_get {
path = "/nginx_status"
port = 80
http_header {
name = "X-Custom-Header"
value = "Awesome"
}
}
initial_delay_seconds = 3
period_seconds = 3
}
}
dns_config {
nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"]
searches = ["example.com"]
option {
name = "ndots"
value = 1
}
option {
name = "use-vc"
}
}
dns_policy = "None"
}
}
resource "kubernetes_pod" "test22" {
metadata {
name = "terraform-example"
}
spec {
container {
volume_mount {
name = "config-volume4"
mount_path = "/bin"
read_only = false
}
volume_mount {
name = "config-volume5"
mount_path = "/bin"
read_only = false
}
image = "nginx:1.7.9"
name = "example4"
env {
name = "environment"
value = "test"
}
port {
container_port = 8080
}
liveness_probe {
http_get {
path = "/nginx_status"
port = 80
http_header {
name = "X-Custom-Header"
value = "Awesome"
}
}
initial_delay_seconds = 3
period_seconds = 3
}
}
container {
image = "nginx:1.7.9"
name = "example5"
env {
name = "environment"
value = "test"
}
port {
container_port = 8080
}
liveness_probe {
http_get {
path = "/nginx_status"
port = 80
http_header {
name = "X-Custom-Header"
value = "Awesome"
}
}
initial_delay_seconds = 3
period_seconds = 3
}
}
dns_config {
nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"]
searches = ["example.com"]
option {
name = "ndots"
value = 1
}
option {
name = "use-vc"
}
}
dns_policy = "None"
}
}
resource "kubernetes_pod" "test23" {
metadata {
name = "terraform-example"
}
spec {
container {
volume_mount {
name = "config-volume6"
mount_path = "/bin"
read_only = false
}
volume_mount {
name = "config-volume7"
mount_path = "/bin"
read_only = false
}
image = "nginx:1.7.9"
name = "example6"
env {
name = "environment"
value = "test"
}
port {
container_port = 8080
}
liveness_probe {
http_get {
path = "/nginx_status"
port = 80
http_header {
name = "X-Custom-Header"
value = "Awesome"
}
}
initial_delay_seconds = 3
period_seconds = 3
}
}
dns_config {
nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"]
searches = ["example.com"]
option {
name = "ndots"
value = 1
}
option {
name = "use-vc"
}
}
dns_policy = "None"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "kubernetes_pod" "testttt" {
metadata {
name = "terraform-example"
}
spec {
container {
volume_mount {
name = "config-volume"
mount_path = "/etc/config"
read_only = true
}
image = "nginx:1.7.9"
name = "example"
env {
name = "environment"
value = "test"
}
port {
container_port = 8080
}
liveness_probe {
http_get {
path = "/nginx_status"
port = 80
http_header {
name = "X-Custom-Header"
value = "Awesome"
}
}
initial_delay_seconds = 3
period_seconds = 3
}
}
dns_config {
nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"]
searches = ["example.com"]
option {
name = "ndots"
value = 1
}
option {
name = "use-vc"
}
}
dns_policy = "None"
}
}