stackoom
  简体   繁体   中英

Allow non-root user of container to execute binaries that need capabilities

 原文  2022-04-26 13:53:54       linux/ docker/ security/ containers/ linux-capabilities

Question

I need to run a container as non-root user by default. However a specific process inside this container needs to execute a binary that needs cap.net_admin capabilities (eg: ip command).

I tried running the container with '--privileged' flag, assigning file capability cap.net_admin to 'ip' binary, as well as changing the group to the user's group. This did not work. What is the correct way to get this working?

# cat Dockerfile
FROM  ubuntu:21.04
RUN apt-get update
RUN apt-get install -f -y iproute2
RUN chgrp nogroup /bin/ip
RUN chmod g+x /bin/ip
RUN setcap 'cap_net_admin+epi' /bin/ip
USER nobody


# docker build .
Successfully built be565bc8f52d

# docker run --rm --user nobody  --privileged -it be565bc8f52d /bin/bash
nobody@9834cfaa833f:/$ getcap /bin/ip
/bin/ip cap_net_admin=eip
nobody@9834cfaa833f:/$ ls -lhrt /bin/ip
-rwxr-xr-x 1 root nogroup 626K Mar 17  2021 /bin/ip
nobody@9834cfaa833f:/$ groups nobody
nobody : nogroup
nobody@9834cfaa833f:/$  cat proc/self/status | grep Cap
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
nobody@9834cfaa833f:/$ ip link add dummy0 type dummy
RTNETLINK answers: Operation not permitted

Note: With older docker version, this was working with setcap and privileged flag. Probably it stopped working due to the fix for this CVE .

# docker --version
Docker version 20.10.14, build a224086

1 answers

solution1
 3 ACCPTED  2022-04-28 04:04:40

Elaborating on my comment to the question, I think this is a problem with the ip code's attempt to suppress Ambient capabilities except in one specific command line case.

I've suggested a fix in this bug report: https://github.com/shemminger/iproute2/issues/62 (which appears to have been deleted, since this was not how iproute2 wants to receive bug reports). I was directed to try again with this email thread , so we can see how that report turns out.

I did develop a partial workaround you might want to try:

    $ sudo setcap cap_net_admin=ie ./ip
    $ sudo capsh --inh=cap_net_admin --user=`whoami` --
    $ ./ip ...

This works by using inheritable file capabilities instead of the permitted ones you were relying on. The ip code seems to prefer inheritable capabilities over permitted ones.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Giving a non-root user process capabilities to change its niceness Starting container as a non-root user vs starting as root and then downgrade to non-root How to allow non-root user to call chroot(2)? Unable to execute imcl websphere command with non-root user Running tcpdump inside a Docker container as non-root user Error accessing mercurial with non-root user Restart Service with non-root user Not able to install gems as non-root user Using terminal shortcuts with a non-root user Ubuntu run script as non-root user
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM