Re: leaving setfcap in docker containers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/30/2013 04:23 AM, Daniel P. Berrange wrote:
> On Fri, Sep 27, 2013 at 01:28:29PM -0400, Matthew Miller wrote:
>> Quick backstory: unless run in privledged mode, Docker drops a bunch of 
>> capabilities when launching a container. One of these is setfcap. This 
>> breaks of binary RPMs like httpd where the daemon is installed with file 
>> capabilities instead.
>> 
>> We're considering removing setfcap from the list of dropped capabilities.
>> It seems safe to me (note that you run as root inside the container), but
>> I'd like some security-minded review. Could this be used for evil?
>> 
>> https://bugzilla.redhat.com/show_bug.cgi?id=1012952
> 
> Docker with the its sf.net LXC backend does not utilize any kind of MAC
> driver, nor does it utilizer user namespaces, so even with those 
> capabilities dropped it is still insecure if the container app runs as the
> 'root' user. As such allowing CAP_FCAP does not make the situation worse
> AFAICT
> 
> Regards, Daniel
> 
Yes lets eliminate the idea that running as root within a container without
something like SELinux or User Namespace, is going to be much more secure then
running processes as root outside the container.

I plan on working on adding SELinux to wrap the docker container as we have
done for the virt-sandbox containers, but we still allow a lot of privs to a
privledged process within the container.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJJbFAACgkQrlYvE4MpobOW2QCfceDBC39gAGkOICNe8NJz2/Ov
RrgAoJfN6ci+gg8qLvqGTdh32e9szbI7
=sbRH
-----END PGP SIGNATURE-----
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux