![]() ![]() This is because certain features like namespaces or mount points which forms the basis of Docker filesystems have always required elevated privileges. It adds a lot of security to the system.Historically, Docker Engine or Docker has always required root privileges to run. I would advise almost all users of Docker who run their containers with non-privileged users to use this feature. Now this user cannot gain any capabilities on the system. Now, if we execute the same container with a non-privileged user and drop all capabilities: # docker run -rm -ti -cap-drop=all -u 3267 fedora grep Cap /proc/self/status ![]() So, even though this process is running as non-root inside the container, it could potentially run with the same capabilities as above if the image builder included a setuid binary.Ĭhown, dac_override, fowner, fsetid, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod,ĭocker has a nice feature where you can drop all capabilities via -cap-drop=all. Notice also, not surprisingly, this number matches the previous container’s. This means if there is a setuid binary included in the image, it would be possible to gain these capabilities. Notice that the CapEff is all zero, but the bounding set of capabilities ( CapBnd) is not. docker run -u 3267 fedora grep Cap /proc/self/status Now let’s run a container as non-root using the -u option. Using the pscap tool, I see that the process has these capabilities:Ĭhown, dac_override, fowner, fsetid, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, Notice that the Effective Capabilities ( CapEff) is a non-zero value, which means that the process has capabilities. # docker run -rm -ti fedora grep Cap /proc/self/status One can look at the capabilities of the current process via grep Cap /proc/self/status. We’ll start with a simple container where the primary process is running as root. ![]() I was asked a question about running users inside of a docker container: could they still get privileges?īefore we begin, here is more background on Linux capabilities How to Run a More Secure Non-Root User Container ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2023
Categories |