Skip to content
This repository has been archived by the owner. It is now read-only.

Problems running a binary with setcap as an unprivileged user #3179

Closed
steeef opened this issue Sep 9, 2016 · 8 comments
Closed

Problems running a binary with setcap as an unprivileged user #3179

steeef opened this issue Sep 9, 2016 · 8 comments

Comments

@steeef
Copy link

@steeef steeef commented Sep 9, 2016

Environment

rkt Version: 1.8.0
appc Version: 0.8.4
Go Version: go1.5.4
Go OS/Arch: linux/amd64
Features: -TPM
--
Linux 4.7.0-coreos x86_64
--
NAME=CoreOS
ID=coreos
VERSION=1122.2.0
VERSION_ID=1122.2.0
BUILD_ID=2016-09-06-1449
PRETTY_NAME="CoreOS 1122.2.0 (MoreOS)"
ANSI_COLOR="1;32"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://github.com/coreos/bugs/issues"
--
systemd 229
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT -GNUTLS -ACL +XZ -LZ4 +SECCOMP +BLKID -ELFUTILS +KMOD -IDN

What did you do?

I'm running a Docker image that runs a binary as an unprivileged user. The binary in question (/usr/bin/caddy) has NET_BIND_SERVICE capability set as part of the Dockerfile, which should allow the unprivileged user to mount ports below 1024.

Dockerfile: https://github.com/steeef/stp5net/blob/master/Dockerfile
rkt run command:

sudo /usr/bin/rkt run --insecure-options=image --interactive --inherit-env  docker://steeef/stp5net --exec /bin/sh

What did you expect to see?

This is what I get when running it with Docker on the same host:

/srv $ getcap /usr/bin/caddy
/usr/bin/caddy = cap_net_bind_service+ep

What did you see instead?

/srv $ getcap /usr/bin/caddy
/srv $

And indeed, running the binary as the unprivileged user results in "permission denied" when it attempts to bind to port 443.

@s-urbaniak
Copy link
Contributor

@s-urbaniak s-urbaniak commented Sep 12, 2016

@steeef thanks for reporting this. It seems we are loosing the xattr when unpacking and/or converting internally, so it is probably somewhere inside docker2aci.

Keep in mind that you will still have to specify rkt run --cap-retain=CAP_NET_BIND_SERVICE. I was trying to come up with a quick workaround but we also loose CAP_SETFCAP for setcap itself :-/

@steeef
Copy link
Author

@steeef steeef commented Sep 12, 2016

@s-urbaniak thanks for the tip re: --cap-retain. I missed that part of the docs. BTW, is it --cap-retain or --caps-retain? This page uses both:
https://coreos.com/rkt/docs/latest/capabilities-guide.html

Good find on docker2aci being the issue. That'd be my guess as well. I noticed that it also didn't carry over the ulimit setting from the Dockerfile. Running ulimit -n as the created user gives the default, 1024.

@s-urbaniak
Copy link
Contributor

@s-urbaniak s-urbaniak commented Sep 14, 2016

@steeef and again, for the pointer in the documentation! :-) Indeed, the capabilities guide needs a fix. To clarify: --cap-retain is deprecated (but still works), so please use --caps-retain in the future.

s-urbaniak pushed a commit to s-urbaniak/rkt that referenced this issue Sep 14, 2016
s-urbaniak pushed a commit to s-urbaniak/rkt that referenced this issue Sep 14, 2016
Partially fixes rkt#3179 (the documentation part)
@jonboulle
Copy link
Contributor

@jonboulle jonboulle commented Sep 14, 2016

for posterity, cross-referencing #2994

@s-urbaniak
Copy link
Contributor

@s-urbaniak s-urbaniak commented Sep 15, 2016

github was too smart on closing this one, I just fixed the documentation issue, hence re-opening.

@lucab
Copy link
Member

@lucab lucab commented Sep 29, 2016

The underlying docker2aci issue is at appc/docker2aci#202.

@lucab lucab added this to the v1.17.0 milestone Sep 29, 2016
@lucab lucab removed this from the v1.16.0 milestone Sep 29, 2016
@s-urbaniak s-urbaniak added this to the v1.18.0 milestone Oct 12, 2016
@s-urbaniak s-urbaniak removed this from the v1.17.0 milestone Oct 12, 2016
@s-urbaniak s-urbaniak self-assigned this Oct 12, 2016
@s-urbaniak
Copy link
Contributor

@s-urbaniak s-urbaniak commented Oct 22, 2016

I am working on this now, and found that the bug is most likely in rkt itself, not in docker2aci, see appc/docker2aci#202 (comment).

@s-urbaniak
Copy link
Contributor

@s-urbaniak s-urbaniak commented Oct 23, 2016

Note to myself: This place https://github.com/coreos/rkt/blob/master/pkg/tar/tar.go#L147 misses xattr handling.

s-urbaniak pushed a commit to s-urbaniak/rkt that referenced this issue Oct 23, 2016
Currently the xattr field is ignored, when untarring files. This fixes
it.

Fixes rkt#3179
s-urbaniak pushed a commit to s-urbaniak/rkt that referenced this issue Oct 24, 2016
Currently the xattr field is ignored, when untarring files. This fixes
it.

Fixes rkt#3179
s-urbaniak pushed a commit to s-urbaniak/rkt that referenced this issue Oct 25, 2016
Currently the xattr field is ignored, when untarring files. This fixes
it.

Fixes rkt#3179
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.