Mysterious" admin user created in Rancher upon cluster deployment

#1

Hi, I have a weird problem with my Rancher installation I use for testing/learning, where an admin user gets created when I deploy a cluster using an unofficial driver for Hetzner Cloud. Please see the Github issue linked below for more details. Question: is it possible, as I suspect, for a custom node driver to somehow compromise a Rancher installation by creating admin users etc? Am I dreaming? After all it’s binary code that gets executed by Rancher, right?

Otherwise, is there any other possible explanation for what I have described? My Rancher server (it’s a single node install) has SSH root access and password auth disabled, has Fail2ban installed, a firewall etc etc, and there’s nothing else installed other than Rancher. Only thing is that Rancher is exposed directly to the Internet instead of being behind a reverse proxy (as it was easier for the Let’s encrypt thing). Could Rancher have been compromised?

Thanks in advance for your help.

#2

Theoretically, but that’s quite a leap to make without any evidence when there are lots of simpler potential explanations (e.g. bad passwords on existing accounts)

Which driver (URL) and checksum are you using?

By “user” do you mean Global nav -> Users? What does the JSON for the user look like (View in API action)

#3

I setup a new machine, created a 2nd local user, deleted the default admin, added the version in the UI readme and deployed a cluster with the driver and don’t see extra users. There’s also nothing obvious from trivial analysis of the driver binary (e.g. strings docker-machine-driver-hetzner).

#4

Hi Vincent, the funny thing is that the admin user doesn’t appear right away after provisioning the cluster…lol. I have no idea of what’s going on if the problem is not that driver.

#5

The driver binary is (normally) only running for the time the machine is created until it’s done provisioning, a couple minutes. Though still possible, happening outside of that time period suggests it probably has nothing to do with the driver…

#6

Update! This gets weirder and weirder!!!

[Description of a vulnerability removed pending a release fixing it – @vincent]

#7

Another little update… this is even worse than I thought :frowning:

[Description of a vulnerability removed pending a release fixing it – @vincent]

Can someone try this please and let me know whether it’s a problem/bug/whatever in Rancher or whether there is something wrong with my setup? I just run Rancher with the usual Docker run command of course, nothing different.

#8

[Description of a vulnerability removed pending a release fixing it – @vincent]

#9

[Description of a vulnerability removed pending a release fixing it – @vincent]

#10

The cause of this is not related to the Hetzner (or any other) driver but to an unrelated issue that will be fixed and disclosed in an upcoming release. I’ve edited out the details above for now, but thanks to @Vito_Botta for finding it.