Comments (5)
From version 2.0.3 (check the tags on master branch or the releases).
It's basically a complete rewrite from there, so linking a specific commit would be pointless.
from kathara.
Hi @alexdu59 thanks for your submission!
Indeed those are 2 big oversights on my part. Thank you for pointing them out so that users are aware of them.
However this week the team will be launching the new version of Katharà that won't be using the wrapper at all.
As we're still dealing with docker, I'd be very happy if you could also take a look in the new version once it's publicly available. In the meantime keep pointing out security issues with the current version, since the new version is still somehow based on this one.
from kathara.
I'm leaving the issue open until the new version is out, so that it's visible.
from kathara.
Hi @alexdu59 ,
we released now the new version of Kathará.
Both the vulnerabilities you figured out are now fixed.
The wrapper is no longer existing and the python code will use the Docker API to launch containers.
The need of setuid is now replaced with setgid with the "docker" group. This is needed because this software needs to run on some shared computers where the user do not have sudo access to the system (University lab computers). If we let the student user to run sudo
commands they could tamper with the system.
I'd be very happy if you could also take a look in the new version code to eventually find out new vulnerabilities.
from kathara.
@lorenzo93 Could you link me to the commits where the vulns have been solved?
from kathara.
Related Issues (20)
- Wait `.shutdown` commands
- Add lab hash to Docker networks names
- Add `copy_directory_from_path` method to FilesystemMixin
- Kubernetes startup watch may never terminate if there is a Pod error
- Allow space in `sysctl` and `env` metas
- Add the possibility to specify a custom name for network scenario configuration file from the Python API
- Add `gnome-terminal` as terminal emulator
- "RTNETLINK answers: Operation not supported" when running traffic-control labs in MacOS HOT 4
- `tc` does not work on Windows hosts (WSL 2) HOT 1
- Use `rich` to render progress bars and add UI progress for Docker image pull
- Enable using `amd64` images on macOS using Rosetta
- UI Improvements using `rich`
- Multipath support not enabled in WSL
- API Improvements
- Bug using Kathara.get_instance().exec() with Kubernetes and stream=True with Kathara 3.7.3 HOT 5
- Not all Pods are Terminating with Kubernetes and Kathara 3.7.3 HOT 8
- Container Creation failed, rp_filter not found HOT 1
- Private registry support on Megalos HOT 1
- Can't undeploy link on running lab using Kathara.get_instance().undeploy_link() with the python api HOT 2
- Unable to add link to deployed lab HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kathara.