New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problems running a binary with setcap as an unprivileged user #3179

Closed
steeef opened this Issue Sep 9, 2016 · 8 comments

Comments

Projects
None yet
4 participants
@steeef

steeef commented Sep 9, 2016

Environment

rkt Version: 1.8.0
appc Version: 0.8.4
Go Version: go1.5.4
Go OS/Arch: linux/amd64
Features: -TPM
--
Linux 4.7.0-coreos x86_64
--
NAME=CoreOS
ID=coreos
VERSION=1122.2.0
VERSION_ID=1122.2.0
BUILD_ID=2016-09-06-1449
PRETTY_NAME="CoreOS 1122.2.0 (MoreOS)"
ANSI_COLOR="1;32"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://github.com/coreos/bugs/issues"
--
systemd 229
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT -GNUTLS -ACL +XZ -LZ4 +SECCOMP +BLKID -ELFUTILS +KMOD -IDN

What did you do?

I'm running a Docker image that runs a binary as an unprivileged user. The binary in question (/usr/bin/caddy) has NET_BIND_SERVICE capability set as part of the Dockerfile, which should allow the unprivileged user to mount ports below 1024.

Dockerfile: https://github.com/steeef/stp5net/blob/master/Dockerfile
rkt run command:

sudo /usr/bin/rkt run --insecure-options=image --interactive --inherit-env  docker://steeef/stp5net --exec /bin/sh

What did you expect to see?

This is what I get when running it with Docker on the same host:

/srv $ getcap /usr/bin/caddy
/usr/bin/caddy = cap_net_bind_service+ep

What did you see instead?

/srv $ getcap /usr/bin/caddy
/srv $

And indeed, running the binary as the unprivileged user results in "permission denied" when it attempts to bind to port 443.

@s-urbaniak

This comment has been minimized.

Contributor

s-urbaniak commented Sep 12, 2016

@steeef thanks for reporting this. It seems we are loosing the xattr when unpacking and/or converting internally, so it is probably somewhere inside docker2aci.

Keep in mind that you will still have to specify rkt run --cap-retain=CAP_NET_BIND_SERVICE. I was trying to come up with a quick workaround but we also loose CAP_SETFCAP for setcap itself :-/

@steeef

This comment has been minimized.

steeef commented Sep 12, 2016

@s-urbaniak thanks for the tip re: --cap-retain. I missed that part of the docs. BTW, is it --cap-retain or --caps-retain? This page uses both:
https://coreos.com/rkt/docs/latest/capabilities-guide.html

Good find on docker2aci being the issue. That'd be my guess as well. I noticed that it also didn't carry over the ulimit setting from the Dockerfile. Running ulimit -n as the created user gives the default, 1024.

@s-urbaniak

This comment has been minimized.

Contributor

s-urbaniak commented Sep 14, 2016

@steeef and again, for the pointer in the documentation! :-) Indeed, the capabilities guide needs a fix. To clarify: --cap-retain is deprecated (but still works), so please use --caps-retain in the future.

s-urbaniak pushed a commit to s-urbaniak/rkt that referenced this issue Sep 14, 2016

Sergiusz Urbaniak

s-urbaniak pushed a commit to s-urbaniak/rkt that referenced this issue Sep 14, 2016

Sergiusz Urbaniak
Documentation: remove --cap-retain/remove mentions
Partially fixes rkt#3179 (the documentation part)
@jonboulle

This comment has been minimized.

Contributor

jonboulle commented Sep 14, 2016

for posterity, cross-referencing #2994

@s-urbaniak

This comment has been minimized.

Contributor

s-urbaniak commented Sep 15, 2016

github was too smart on closing this one, I just fixed the documentation issue, hence re-opening.

@lucab

This comment has been minimized.

Member

lucab commented Sep 29, 2016

The underlying docker2aci issue is at appc/docker2aci#202.

@s-urbaniak

This comment has been minimized.

Contributor

s-urbaniak commented Oct 22, 2016

I am working on this now, and found that the bug is most likely in rkt itself, not in docker2aci, see appc/docker2aci#202 (comment).

@s-urbaniak

This comment has been minimized.

Contributor

s-urbaniak commented Oct 23, 2016

Note to myself: This place https://github.com/coreos/rkt/blob/master/pkg/tar/tar.go#L147 misses xattr handling.

s-urbaniak pushed a commit to s-urbaniak/rkt that referenced this issue Oct 23, 2016

Sergiusz Urbaniak
stage0/cas: apply xattr attributes
Currently the xattr field is ignored, when untarring files. This fixes
it.

Fixes rkt#3179

s-urbaniak pushed a commit to s-urbaniak/rkt that referenced this issue Oct 24, 2016

Sergiusz Urbaniak
stage0/cas: apply xattr attributes
Currently the xattr field is ignored, when untarring files. This fixes
it.

Fixes rkt#3179

s-urbaniak pushed a commit to s-urbaniak/rkt that referenced this issue Oct 25, 2016

Sergiusz Urbaniak
stage0/cas: apply xattr attributes
Currently the xattr field is ignored, when untarring files. This fixes
it.

Fixes rkt#3179
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment