amazon-linux-2023 icon indicating copy to clipboard operation
amazon-linux-2023 copied to clipboard
verified publisher icon amazonlinux

[Regression] -Setuid binaries introduced in docker image

Open stetskevych opened this issue 8 months ago • 4 comments

Describe the bug An April 2024 release of Amazon Linux 2023 introduced the setuid bit on two binaries which did not have the setuid bit set on them before. This was detected by our automated security scan. It is strongly advised to avoid having setuid binaries inside the docker image to avoid potential security issues (privilege escalations). This is a regression as before April 2025 the AL2023 docker image did not have setuid binaries. ~~Amazon Linux 2 is also affected by this, starting in April 2025 as well.~~ Amazon Linux 2 is not affected.

To Reproduce Command line to list setuid files in a docker image: docker run -d $image sleep 10 | xargs -I {} docker export {} | tar -tv 2>/dev/null | grep -E '^[-rwx]{2,}(s|S).*\s[0-9]' List of suid files currently found: -rwsr-xr-x 0 0 0 200464 29 Jan 2024 usr/sbin/pam_timestamp_check -rwsr-xr-x 0 0 0 200752 29 Jan 2024 usr/sbin/unix_chkpwd

Expected behavior No setuid binaries should be present in the docker image. The image was free of them before, this is a regression.

stetskevych avatar Apr 23 '25 06:04 stetskevych

Those files are owned by pam. There was no update to pam that I'm aware of this year, though it could be that the package was simply not installed by default on the docker image before this.

It looks like pam itself was brought in as a result of a libcap update introducing a new dependency. We will look into this and see if we can fix it

ozbenh avatar Apr 23 '25 07:04 ozbenh

Thank you, please let us know if and when you have an expected date for the fix.

stetskevych avatar Apr 23 '25 12:04 stetskevych

Updated the original description to say that Amazon Linux 2 is not affected after a reassessment was done.

stetskevych avatar Apr 23 '25 15:04 stetskevych

@ozbenh I verified your assumption that the pam package was not there before the March 31 AL2023 release.

$ export TAG=2023.6.20250317.2
$ docker run amazonlinux:$TAG rpm -qa | grep -E '(pam|cap)'
libcap-2.48-2.amzn2023.0.4.aarch64
libcap-ng-0.8.2-4.amzn2023.0.2.aarch64

$ export TAG=2023.7.20250331.0
$ docker run amazonlinux:$TAG rpm -qa | grep -E '(pam|cap)'
libcap-ng-0.8.2-4.amzn2023.0.2.aarch64
libcap-2.73-1.amzn2023.0.1.aarch64
pam-1.5.1-8.amzn2023.0.4.aarch64

$ docker run amazonlinux:$TAG rpm --test -e pam
error: Failed dependencies:
	libpam.so.0()(64bit) is needed by (installed) libpwquality-1.4.4-6.amzn2023.0.2.aarch64
	libpam.so.0()(64bit) is needed by (installed) libcap-2.73-1.amzn2023.0.1.aarch64
	libpam.so.0(LIBPAM_1.0)(64bit) is needed by (installed) libpwquality-1.4.4-6.amzn2023.0.2.aarch64
	libpam.so.0(LIBPAM_1.0)(64bit) is needed by (installed) libcap-2.73-1.amzn2023.0.1.aarch64
	libpam.so.0(LIBPAM_EXTENSION_1.0)(64bit) is needed by (installed) libpwquality-1.4.4-6.amzn2023.0.2.aarch64
	libpam.so.0(LIBPAM_EXTENSION_1.1.1)(64bit) is needed by (installed) libpwquality-1.4.4-6.amzn2023.0.2.aarch64
	pam(aarch-64) is needed by (installed) libpwquality-1.4.4-6.amzn2023.0.2.aarch64

Hoping pam can be removed from the image to avoid shipping setuid binaries in the default configuration. Thank you.

stetskevych avatar Apr 23 '25 20:04 stetskevych

This was fixed as part of the https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.7.20250428.html release. Resolving issue.

stewartsmith avatar May 29 '25 18:05 stewartsmith