leaving setfcap in docker containers
"Jóhann B. Guðmundsson"
johannbg at gmail.com
Tue Oct 1 14:41:53 UTC 2013
On 10/01/2013 01:27 PM, Matthew Miller wrote:
> On Fri, Sep 27, 2013 at 07:33:28PM +0000, "Jóhann B. Guðmundsson" wrote:
>> I dont have any security degrees nor do I consider myself an evil
>> man and probably Steve and Dan would be better suited to answer this
>> question since I'm far from being any expert on the subject but
>> hypothetically would not someone being able to do something like
>> this in this educational sample I'm providing
> So, to cut out the code, what you're saying is that someone could use this
> to create a binary which executes as effective root. This is true, but a)
> one is actually running as root inside the container anyway and b) one can
> just use full setuid. Additionally, this wouldn't let someone _not_ root in
> the container set filesystem capabilities.
>
Actually the code I posted creates backdoor to give an user who runs it
the ability to gain root privileges via setcap ( setcap cap_setuid=ep
.b ).
I intentionally left out the part how you gain superuser, big
capabilities, etc to insert it in the first place ( let's not give nsa
any more bright ideas )
JBG
More information about the security
mailing list