leaving setfcap in docker containers
Daniel J Walsh
dwalsh at redhat.com
Sun Sep 29 11:18:25 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/27/2013 03:33 PM, "Jóhann B. Guðmundsson" wrote:
> On 09/27/2013 05:28 PM, Matthew Miller wrote:
>>
>> We're considering removing setfcap from the list of dropped capabilities.
>> It seems safe to me
>
> I dont have any security degrees nor do I consider myself an evil man and
> probably Steve and Dan would be better suited to answer this question since
> I'm far from being any expert on the subject but hypothetically would not
> someone being able to do something like this in this educational sample I'm
> providing
>
> cd ~user
>
> vi bd.c
>
> #include <unistd.h> #include <fcntl.h> main() { setuid(0); char *name[2];
> name[0] = "/bin/sh"; name[1] = 0x0; execve(name[0], name, 0x0); return 0;
> }
>
> gcc bd.c -o .b chown user:user .b chmod 750 .b setcap cap_setuid=ep rm
> bd.c
>
> ./.b
>
> if you did?
>
> I personally would recommend we kept it on after all Dan did push for that
> feature for a reason but as I said I'm no expert on the topic.
>
> JBG -- security mailing list security at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/security
Well currently without setfcap you can do the same thing with
gcc bd.c -o .b
> chown user:user .b chmod 4750 .b rm bd.c
>
> ./.b
Meaning that eliminating setfcap gives the container no additional security,
just breaks things.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlJIDIEACgkQrlYvE4MpobPJXgCgiENLuXzXzp0Mjukbb5L9DR2q
ItgAn3pUJ15qATkVQEgUy2SuHqpGNX8y
=pPRa
-----END PGP SIGNATURE-----
More information about the security
mailing list