Friday, September 27, 2019

docker capabalities

[node1] (local) root@192.168.0.13 ~
$  docker run --rm -it alpine chown nobody /
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
050382585609: Pull complete
Digest: sha256:6a92cd1fcdc8d8cdec60f33dda4db2cb1fcdcacf3410a8e05b3741f44a9b5998
Status: Downloaded newer image for alpine:latest
[node1] (local) root@192.168.0.13 ~
$  docker run --rm -it --cap-drop ALL --cap-add CHOWN alpine chown nobody /
[node1] (local) root@192.168.0.13 ~
$  docker run --rm -it --cap-drop CHOWN alpine chown nobody /
chown: /: Operation not permitted
[node1] (local) root@192.168.0.13 ~
$  docker run --rm -it --cap-add chown -u nobody alpine chown nobody /
chown: /: Operation not permitted
[node1] (local) root@192.168.0.13 ~
$     docker run --rm -it alpine sh -c 'apk add -U libcap; capsh --print'
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/community/x86_64/APKINDEX.tar.gz
(1/1) Installing libcap (2.27-r0)
Executing busybox-1.30.1-r2.trigger
OK: 6 MiB in 15 packages
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Ambient set =
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)
uid=0(root)
gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
[node1] (local) root@192.168.0.13 ~
$ docker run --rm -it alpine sh -c 'apk add -U libcap;capsh --help'
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/community/x86_64/APKINDEX.tar.gz
(1/1) Installing libcap (2.27-r0)
Executing busybox-1.30.1-r2.trigger
OK: 6 MiB in 15 packages
usage: capsh [args ...]
  --help         this message (or try 'man capsh')
  --print        display capability relevant state
  --decode=xxx   decode a hex string to a list of caps
  --supports=xxx exit 1 if capability xxx unsupported
  --drop=xxx     remove xxx,.. capabilities from bset
  --addamb=xxx   add xxx,... capabilities to ambient set
  --delamb=xxx   remove xxx,... capabilities from ambient
  --noamb=xxx    reset the ambient capabilities
  --caps=xxx     set caps as per cap_from_text()
  --inh=xxx      set xxx,.. inheritiable set
  --secbits=  write a new value for securebits
  --keep=     set keep-capabability bit to
  --uid=      set uid to (hint: id )
  --gid=      set gid to (hint: id )
  --groups=g,... set the supplemental groups
  --user=  set uid,gid and groups to that of user
  --chroot=path  chroot(2) to this path
  --killit=   send signal(n) to child
  --forkfor=  fork and make child sleep for sec
  ==             re-exec(capsh) with args as for --
  --             remaing arguments are for /bin/bash
                 (without -- [capsh] will simply exit(0))
[node1] (local) root@192.168.0.13 ~
$
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)