leaving setfcap in docker containers
Daniel P. Berrange
berrange at redhat.com
Mon Sep 30 08:23:31 UTC 2013
On Fri, Sep 27, 2013 at 01:28:29PM -0400, Matthew Miller wrote:
> Quick backstory: unless run in privledged mode, Docker drops a bunch of
> capabilities when launching a container. One of these is setfcap. This
> breaks of binary RPMs like httpd where the daemon is installed with file
> capabilities instead.
>
> We're considering removing setfcap from the list of dropped capabilities. It
> seems safe to me (note that you run as root inside the container), but I'd
> like some security-minded review. Could this be used for evil?
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1012952
Docker with the its sf.net LXC backend does not utilize any kind of
MAC driver, nor does it utilizer user namespaces, so even with those
capabilities dropped it is still insecure if the container app runs
as the 'root' user. As such allowing CAP_FCAP does not make the
situation worse AFAICT
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the security
mailing list