Docker Community Forums

Share and learn in the Docker community.

Docker not dropping capabilities when running container processes as non-root user

security

(Wuebbel) #1

I run processes within my containers as a non-privileged user using the --user - option of docker run (or the USER option in Dockerfile). Following the example on [https://www.projectatomic.io/blog/2016/01/how-to-run-a-more-secure-non-root-user-container/], capabilities are correctly dropped in version 1.10.2:

wuebbel@topf:~/docker/proto$ docker -v
Docker version 1.10.2, build c3959b1
wuebbel@topf:~/docker/proto$ docker run -u 3267 fedora grep Cap /proc/self/status
CapInh: 00000000a80425fb
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000

Recently, we upgraded one server to Ubuntu 16.04 and the docker version to 1.12.2 (from docker repository). On this server, no capabilties are dropped for exactly the same lines:

CBM8032% docker -v
Docker version 1.12.2, build bb80604
CBM8032%  docker run -u 3267 fedora grep Cap /proc/self/status
CapInh: 00000000a80425fb
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 00000000a80425fb

As you would expect, the ordinary user 3267 now has root capabilities inside this container:

CBM8032%  docker run -t -i -u 3267 fedora /bin/sh                                 
sh-4.3$ touch x
sh-4.3$ ls -l x
-rw-r--r-- 1 3267 root 0 Oct 21 12:33 x
sh-4.3$ id  
uid=3267 gid=0(root) groups=0(root)
sh-4.3$ chown root x
sh-4.3$ ls -l x
-rw-r--r-- 1 root root 0 Oct 21 12:33 x
sh-4.3$ exit

I think I missed a change in capability management somewhere. Could someone enlighten me as to how I restore the old behavior?

Best wishes, Frank