Skip to content

Rootless podman loses capabilities for binaries #1550

Closed
Closed
Rootless podman loses capabilities for binaries#1550
Labels
locked - please file new issue/PRAssist humans wanting to comment on an old issue or PR with locked comments.rootless

Description

@debarshiray
debarshiray
opened on Sep 26, 2018

/kind bug

Description

This is similar to #1526 but about capabilties, and not the SUID bit.

Once you enter the Silverblue toolbox you see:

[rishi@bollard fedora-toolbox]$ ./fedora-toolbox enter
🔹[rishi@toolbox ~]$ capsh --print
Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+eip
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=1000(rishi)
gid=1000(rishi)
groups=10(wheel)
🔹[rishi@toolbox ~]$ getcap /usr/bin/ping
🔹[rishi@toolbox ~]$ ls -l /usr/bin/ping
-rwxr-xr-x. 1 root root 63224 Feb  8  2018 /usr/bin/ping
🔹[rishi@toolbox ~]$ ping fedoraproject.org
ping: socket: Operation not permitted
🔹[rishi@toolbox ~]$ sudo su -
[root@toolbox ~]# ping fedoraproject.org
ping: socket: Operation not permitted

Since, /usr/bin/ping isn't present in the base fedora image, we need to use an image that layers in sudo. eg., the fedora-toolbox image.

$ podman run -it --rm --uidmap 1000:0:1 --uidmap 0:1:1000 --uidmap 1001:1001:64536 fedora-toolbox:28 bash
[root@b18ed3028937 /]# capsh --print
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=
[root@b18ed3028937 /]# getcap /usr/bin/ping
Failed to get capabilities of file `/usr/bin/ping' (Numerical result out of range)

Output of podman version:

Version:       0.9.3.1
Go Version:    go1.10.4
OS/Arch:       linux/amd64

Note that this is podman-0.9.3.1 with the fix for #1526 cherry-picked on top. I also have the patch from opencontainers/runc#1862 in my runc build.

Output of podman info:

host:
  Conmon:
    package: podman-0.9.3.1-1.1.git1cd906d.fc28.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 1.12.0-dev, commit: 8cc84bd282d7badb733d4d1e041b5d7ef7a63190-dirty'
  MemFree: 4333494272
  MemTotal: 16696311808
  OCIRuntime:
    package: runc-1.0.0-53.1.dev.git70ca035.fc28.x86_64
    path: /usr/bin/runc
    version: 'runc version spec: 1.0.0'
  SwapFree: 4208979968
  SwapTotal: 4208979968
  arch: amd64
  cpus: 4
  hostname: bollard
  kernel: 4.18.9-200.fc28.x86_64
  os: linux
  uptime: 3h 57m 37.86s (Approximately 0.12 days)
insecure registries:
  registries: []
registries:
  registries:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ContainerStore:
    number: 1
  GraphDriverName: vfs
  GraphOptions: []
  GraphRoot: /var/home/rishi/.local/share/containers/storage
  GraphStatus: {}
  ImageStore:
    number: 7
  RunRoot: /run/user/1000/run

Additional environment details (AWS, VirtualBox, physical, etc.):

This is a physical laptop running Fedora 28 Silverblue 28.20180923.0.

Metadata

Metadata

Assignees

No one assigned

    Labels

    locked - please file new issue/PRAssist humans wanting to comment on an old issue or PR with locked comments.rootless

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions