-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/30/2013 04:23 AM, Daniel P. Berrange wrote:
On Fri, Sep 27, 2013 at 01:28:29PM -0400, Matthew Miller wrote:
> Quick backstory: unless run in privledged mode, Docker drops a bunch of
> capabilities when launching a container. One of these is setfcap. This
> breaks of binary RPMs like httpd where the daemon is installed with file
> capabilities instead.
>
> We're considering removing setfcap from the list of dropped capabilities.
> It seems safe to me (note that you run as root inside the container), but
> I'd like some security-minded review. Could this be used for evil?
>
>
https://bugzilla.redhat.com/show_bug.cgi?id=1012952
Docker with the its
sf.net LXC backend does not utilize any kind of MAC
driver, nor does it utilizer user namespaces, so even with those
capabilities dropped it is still insecure if the container app runs as the
'root' user. As such allowing CAP_FCAP does not make the situation worse
AFAICT
Regards, Daniel
Yes lets eliminate the idea that running as root within a container without
something like SELinux or User Namespace, is going to be much more secure then
running processes as root outside the container.
I plan on working on adding SELinux to wrap the docker container as we have
done for the virt-sandbox containers, but we still allow a lot of privs to a
privledged process within the container.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlJJbFAACgkQrlYvE4MpobOW2QCfceDBC39gAGkOICNe8NJz2/Ov
RrgAoJfN6ci+gg8qLvqGTdh32e9szbI7
=sbRH
-----END PGP SIGNATURE-----