leaving setfcap in docker containers
Daniel J Walsh
dwalsh at redhat.com
Mon Sep 30 12:19:28 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/30/2013 04:23 AM, Daniel P. Berrange wrote:
> On Fri, Sep 27, 2013 at 01:28:29PM -0400, Matthew Miller wrote:
>> Quick backstory: unless run in privledged mode, Docker drops a bunch of
>> capabilities when launching a container. One of these is setfcap. This
>> breaks of binary RPMs like httpd where the daemon is installed with file
>> capabilities instead.
>>
>> We're considering removing setfcap from the list of dropped capabilities.
>> It seems safe to me (note that you run as root inside the container), but
>> I'd like some security-minded review. Could this be used for evil?
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1012952
>
> Docker with the its sf.net LXC backend does not utilize any kind of MAC
> driver, nor does it utilizer user namespaces, so even with those
> capabilities dropped it is still insecure if the container app runs as the
> 'root' user. As such allowing CAP_FCAP does not make the situation worse
> AFAICT
>
> Regards, Daniel
>
Yes lets eliminate the idea that running as root within a container without
something like SELinux or User Namespace, is going to be much more secure then
running processes as root outside the container.
I plan on working on adding SELinux to wrap the docker container as we have
done for the virt-sandbox containers, but we still allow a lot of privs to a
privledged process within the container.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlJJbFAACgkQrlYvE4MpobOW2QCfceDBC39gAGkOICNe8NJz2/Ov
RrgAoJfN6ci+gg8qLvqGTdh32e9szbI7
=sbRH
-----END PGP SIGNATURE-----
More information about the security
mailing list