leaving setfcap in docker containers
Matthew Miller
mattdm at mattdm.org
Tue Oct 1 16:03:43 UTC 2013
On Tue, Oct 01, 2013 at 02:41:53PM +0000, "Jóhann B. Guðmundsson" wrote:
> Actually the code I posted creates backdoor to give an user who runs
> it the ability to gain root privileges via setcap ( setcap
> cap_setuid=ep .b ).
Right, but the key is that you _already have_ root privileges in the
container.
However, certain capabilities have been dropped from the _permitted_ set;
once dropped, you can't get them back even by execing a binary with
filesystem capabilities set. Therefore, it seems fairly harmless to allow
them to be set (eg don't drop that particular capability) -- unless I'm
missing something.
--
Matthew Miller mattdm at mattdm.org <http://mattdm.org/>
More information about the security
mailing list