Major Security Issue with Kathara install about kathara HOT 5 CLOSED

From version 2.0.3 (check the tags on master branch or the releases).

It's basically a complete rewrite from there, so linking a specific commit would be pointless.

from kathara.

Hi @alexdu59 thanks for your submission!
Indeed those are 2 big oversights on my part. Thank you for pointing them out so that users are aware of them.

However this week the team will be launching the new version of Katharà that won't be using the wrapper at all.

As we're still dealing with docker, I'd be very happy if you could also take a look in the new version once it's publicly available. In the meantime keep pointing out security issues with the current version, since the new version is still somehow based on this one.

from kathara.

I'm leaving the issue open until the new version is out, so that it's visible.

from kathara.

Hi @alexdu59 ,
we released now the new version of Kathará.

Both the vulnerabilities you figured out are now fixed.
The wrapper is no longer existing and the python code will use the Docker API to launch containers.

The need of setuid is now replaced with setgid with the "docker" group. This is needed because this software needs to run on some shared computers where the user do not have sudo access to the system (University lab computers). If we let the student user to run sudo commands they could tamper with the system.

I'd be very happy if you could also take a look in the new version code to eventually find out new vulnerabilities.

from kathara.

@lorenzo93 Could you link me to the commits where the vulns have been solved?

from kathara.