-
Notifications
You must be signed in to change notification settings - Fork 231
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
newuidmap requires CAP_SYS_ADMIN (rather than CAP_SET{U,G}ID)? #170
Comments
(Actually this question/issue is not specific to img, and I'm not sure this repo is the right place to ask this question :P) |
A better place to ask would be https://github.com/shadow-maint/shadow. But the answer is that the in-kernel check for (Funnily enough this means that you could design a |
going quickly through the kernel I am not sure if the correct fix should be in the kernel, but this PR for newuidmap/newgidmap seems to do the trick as well: shadow-maint/shadow#132 |
@cyphar I've not seen your reply when preparing mine :-) so perhaps my proposed solution is not completely wrong |
wow good to know I am slightly weirded out I didn't hit this before... |
thank all for the info the check seems added in 2013.. torvalds/linux@41c21e3 |
Applies shadow-maint/shadow#132 so that we don't need to have CAP_SYS_ADMIN. See also genuinetools#170 . Signed-off-by: Akihiro Suda <[email protected]>
PR: #171 |
* use Giuseppe's forked newuidmap/newgidmap Applies shadow-maint/shadow#132 so that we don't need to have CAP_SYS_ADMIN. See also #170 . Signed-off-by: Akihiro Suda <[email protected]> * shut up codacy Signed-off-by: Akihiro Suda <[email protected]>
Close genuinetools#170 Signed-off-by: Akihiro Suda <[email protected]>
Close #170 Signed-off-by: Akihiro Suda <[email protected]>
The YAML above (based on https://blog.jessfraz.com/post/building-container-images-securely-on-kubernetes/) works with Kubernetes 1.12.1 + Docker 18.06.1 (Minikube PR: kubernetes/minikube#3223).
However, when I
add
SETUID
andSETGID
tocapabilities
instead ofSYS_ADMIN
,newuidmap
fails:(EDIT:
SETUID
andSETGID
are already in the default set, and adding them explicltly is just "NOP")cc @jessfraz @cyphar @giuseppe
The text was updated successfully, but these errors were encountered: