GitList

Browse code

SETUID/SETGID not required for changing user

It is no longer necessary to pass "SETUID" or "SETGID" capabilities to
the container when a "user" is specified in the config.

Docker-DCO-1.1-Signed-off-by: Bernerd Schaefer <bj.schaefer@gmail.com> (github: bernerdschaefer)

Bernerd Schaefer authored on 2014/05/28 23:41:48
Showing 2 changed files

pkg/libcontainer/nsinit/init.go index 8139865..0f1f484 100644
pkg/libcontainer/security/capabilities/capabilities.go index ba72070..64ea961 100644

pkg/libcontainer/nsinit/init.go

History View file @ 0563453

@@ -172,15 +172,33 @@ func setupNetwork(container *libcontainer.Container, context libcontainer.Contex
                      // and working dir, and closes any leaky file descriptors
                      // before execing the command inside the namespace
                      func FinalizeNamespace(container *libcontainer.Container) error {
                     -	if err := capabilities.DropCapabilities(container); err != nil {
                     -		return fmt.Errorf("drop capabilities %s", err)
                     -	}
                      	if err := system.CloseFdsFrom(3); err != nil {
                      		return fmt.Errorf("close open file descriptors %s", err)
+                     	}
+                    +
                     +	// drop capabilities in bounding set before changing user
                     +	if err := capabilities.DropBoundingSet(container); err != nil {
                     +		return fmt.Errorf("drop bounding set %s", err)
                     +	}
+                    +
                     +	// preserve existing capabilities while we change users
                     +	if err := system.SetKeepCaps(); err != nil {
                     +		return fmt.Errorf("set keep caps %s", err)
                     +	}
+                    +
                      	if err := SetupUser(container.User); err != nil {
                      		return fmt.Errorf("setup user %s", err)
+                     	}
+                    +
                     +	if err := system.ClearKeepCaps(); err != nil {
                     +		return fmt.Errorf("clear keep caps %s", err)
                     +	}
+                    +
                     +	// drop all other capabilities
                     +	if err := capabilities.DropCapabilities(container); err != nil {
                     +		return fmt.Errorf("drop capabilities %s", err)
                     +	}
+                    +
                      	if container.WorkingDir != "" {
                      		if err := system.Chdir(container.WorkingDir); err != nil {
                      			return fmt.Errorf("chdir to %s %s", container.WorkingDir, err)

pkg/libcontainer/security/capabilities/capabilities.go

History View file @ 0563453

@@ -9,6 +9,25 @@ import (
                      const allCapabilityTypes = capability.CAPS | capability.BOUNDS
                     +// DropBoundingSet drops the capability bounding set to those specified in the
                     +// container configuration.
                     +func DropBoundingSet(container *libcontainer.Container) error {
                     +	c, err := capability.NewPid(os.Getpid())
                     +	if err != nil {
                     +		return err
                     +	}
+                    +
                     +	keep := getEnabledCapabilities(container)
                     +	c.Clear(capability.BOUNDS)
                     +	c.Set(capability.BOUNDS, keep...)
+                    +
                     +	if err := c.Apply(capability.BOUNDS); err != nil {
                     +		return err
                     +	}
+                    +
                     +	return nil
                     +}
+                    +
                      // DropCapabilities drops all capabilities for the current process expect those specified in the container configuration.
                      func DropCapabilities(container *libcontainer.Container) error {
                      	c, err := capability.NewPid(os.Getpid())