[NemoClaw] nemoclaw-start.sh: config integrity check bypassed in non-root mode — script continues after SHA256 failure

[latenighthackathon]

Description

In scripts/nemoclaw-start.sh (lines 218–223), when the container runs as a non-root user, the SHA256 config integrity check failure is non-fatal. The script logs a warning but continues execution, completely bypassing the security model that protects openclaw.json from tampering.

What happens: In non-root mode, if verify_config_integrity() fails (indicating openclaw.json has been modified), the script prints a warning and proceeds to start the gateway with the tampered config.

What should happen: The config integrity check failure should be fatal in all modes. If the config hash doesn't match, the sandbox should refuse to start regardless of whether it's running as root or non-root.

Reproduction Steps

1. Start a NemoClaw sandbox in non-root mode (e.g., in an environment where the container cannot run as root)
2. Modify /sandbox/.openclaw/openclaw.json — change the auth token, model, or provider
3. The SHA256 hash in /sandbox/.openclaw/.config-hash no longer matches
4. When nemoclaw-start.sh runs, observe the output:

   [gateway] Running as non-root (uid=1000) — privilege separation disabled
   [SECURITY WARNING] Config integrity check failed — proceeding anyway (non-root mode)
   

5. The gateway starts with the tampered config

Environment

• Code review of main branch (commit HEAD as of 2026-03-26)
• Affected file: scripts/nemoclaw-start.sh lines 218–223
• Contrasted with root path at line 252 where the check IS fatal

Logs

Non-root path (lines 218–223) — check is NON-FATAL:

if [ "$(id -u)" -ne 0 ]; then
  echo "[gateway] Running as non-root (uid=$(id -u)) — privilege separation disabled"
  export HOME=/sandbox
  if ! verify_config_integrity; then
    echo "[SECURITY WARNING] Config integrity check failed — proceeding anyway (non-root mode)"
  fi

Root path (line 252) — check IS fatal (exits on failure):

verify_config_integrity

Under set -euo pipefail (line 16), the root path exits on failure. But in the non-root path, the if statement catches the error and continues.

Checklist

• I confirmed this bug is reproducible
• I searched existing issues and this is not a duplicate

[latenighthackathon]

Related: #516 tracks broader defense-in-depth hardening for config tampering (tool deny lists, moving config to /etc, Landlock enforcement). This issue is a specific, immediately actionable bypass — the non-root code path (line 222) explicitly continues after integrity check failure, undermining the protections #516 aims to strengthen.

[latenighthackathon]

Clarification on practical exploitability: since nemoclaw-start.sh runs inside an OpenShell-managed container, the primary defense against config tampering is Landlock marking /sandbox/.openclaw as read_only plus DAC (root:root 444 on openclaw.json).

This bypass is only exploitable when both conditions are true:

1. Landlock is not enforced (kernel < 5.13, or best_effort fallback triggered)
2. The container runs in non-root mode (OpenShell's --security-opt=no-new-privileges)

On modern kernels with Landlock active, the sandbox user cannot modify openclaw.json regardless of the integrity check result. However, the defense-in-depth argument still stands — the integrity check should be fatal in all modes so that degraded environments don't silently lose this protection layer.

[Junior00619]

Hey!! I just sent a PR mind taking a look