On Tue, Oct 01, 2013 at 02:41:53PM +0000, "Jóhann B. Guðmundsson" wrote:
Actually the code I posted creates backdoor to give an user who runs
it the ability to gain root privileges via setcap ( setcap
cap_setuid=ep .b ).
Right, but the key is that you _already have_ root privileges in the
container.
However, certain capabilities have been dropped from the _permitted_ set;
once dropped, you can't get them back even by execing a binary with
filesystem capabilities set. Therefore, it seems fairly harmless to allow
them to be set (eg don't drop that particular capability) -- unless I'm
missing something.
--
Matthew Miller mattdm(a)mattdm.org <
http://mattdm.org/>