You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've recently hit an issue https://bugzilla.redhat.com/show_bug.cgi?id=2334087 when removing cap_dac_override and keeping cap_dac_read_search works on host (for a sssd:sssd process to read /etc/krb5.keytab with root:root and -rw-------) but not in containers.
Checking
$ podman run --rm registry.fedoraproject.org/fedora:rawhide capsh --print
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_sys_chroot,cap_setfcap=ep
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_sys_chroot,cap_setfcap
Ambient set =
Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_net_raw,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_write,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Securebits: 00/0x0/1'b0 (no-new-privs=0)
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=
Guessed mode: HYBRID (4)
I see that the container has cap_dac_override but not cap_dac_read_search. Reading capabilities(7) it looks like cap_dac_read_search might be a less "powerful" capability than cap_dac_override. (This is with podman-5.3.1-1.fc41.x86_64. Output with sudo podman is the same.)
Is there a specific reason why podman containers by default enables cap_dac_override but does not add cap_dac_read_search?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I've recently hit an issue https://bugzilla.redhat.com/show_bug.cgi?id=2334087 when removing cap_dac_override and keeping cap_dac_read_search works on host (for a sssd:sssd process to read /etc/krb5.keytab with root:root and -rw-------) but not in containers.
Checking
I see that the container has
cap_dac_overridebut notcap_dac_read_search. Reading capabilities(7) it looks likecap_dac_read_searchmight be a less "powerful" capability thancap_dac_override. (This is with podman-5.3.1-1.fc41.x86_64. Output withsudo podmanis the same.)Is there a specific reason why podman containers by default enables
cap_dac_overridebut does not addcap_dac_read_search?Beta Was this translation helpful? Give feedback.
All reactions