-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/30/2013 04:23 AM, Daniel P. Berrange wrote: > On Fri, Sep 27, 2013 at 01:28:29PM -0400, Matthew Miller wrote: >> Quick backstory: unless run in privledged mode, Docker drops a bunch of >> capabilities when launching a container. One of these is setfcap. This >> breaks of binary RPMs like httpd where the daemon is installed with file >> capabilities instead. >> >> We're considering removing setfcap from the list of dropped capabilities. >> It seems safe to me (note that you run as root inside the container), but >> I'd like some security-minded review. Could this be used for evil? >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1012952 > > Docker with the its sf.net LXC backend does not utilize any kind of MAC > driver, nor does it utilizer user namespaces, so even with those > capabilities dropped it is still insecure if the container app runs as the > 'root' user. As such allowing CAP_FCAP does not make the situation worse > AFAICT > > Regards, Daniel > Yes lets eliminate the idea that running as root within a container without something like SELinux or User Namespace, is going to be much more secure then running processes as root outside the container. I plan on working on adding SELinux to wrap the docker container as we have done for the virt-sandbox containers, but we still allow a lot of privs to a privledged process within the container. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJJbFAACgkQrlYvE4MpobOW2QCfceDBC39gAGkOICNe8NJz2/Ov RrgAoJfN6ci+gg8qLvqGTdh32e9szbI7 =sbRH -----END PGP SIGNATURE----- -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
