leaving setfcap in docker containers
Matthew Miller
mattdm at mattdm.org
Tue Oct 1 13:27:34 UTC 2013
On Fri, Sep 27, 2013 at 07:33:28PM +0000, "Jóhann B. Guðmundsson" wrote:
> I dont have any security degrees nor do I consider myself an evil
> man and probably Steve and Dan would be better suited to answer this
> question since I'm far from being any expert on the subject but
> hypothetically would not someone being able to do something like
> this in this educational sample I'm providing
So, to cut out the code, what you're saying is that someone could use this
to create a binary which executes as effective root. This is true, but a)
one is actually running as root inside the container anyway and b) one can
just use full setuid. Additionally, this wouldn't let someone _not_ root in
the container set filesystem capabilities.
--
Matthew Miller mattdm at mattdm.org <http://mattdm.org/>
More information about the security
mailing list