steveszabo
New Member
Trying to understand how to use linux capabilities when running in a container. I'm able to use CAP_DAC_OVERRIDE when running an ubuntu image on an ubuntu host:
If I switch to a redhat image running on the same ubuntu host I don't get the same results:
Code:
FROM ubuntu:latest
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install libcap2-bin -y
RUN setcap CAP_DAC_OVERRIDE=eip /usr/bin/cp
USER nobody
ENTRYPOINT ["/usr/bin/cp", "/etc/os-release", "/"]
Code:
$ docker run --cap-add CAP_DAC_OVERRIDE --rm -it --entrypoint=/bin/bash 5f4cf7fc782a
nobody@55eb528031d4:/$
nobody@55eb528031d4:/$
nobody@55eb528031d4:/$ getcap /usr/bin/cp
/usr/bin/cp cap_dac_override=eip
nobody@55eb528031d4:/$
nobody@55eb528031d4:/$
nobody@55eb528031d4:/$ /usr/bin/cp /etc/os-release /
nobody@55eb528031d4:/$
nobody@55eb528031d4:/$ ls -ld /os-release
-rw-r--r-- 1 nobody nogroup 386 Sep 10 00:32 /os-release
nobody@55eb528031d4:/$
nobody@55eb528031d4:/$
nobody@55eb528031d4:/$ exit
If I switch to a redhat image running on the same ubuntu host I don't get the same results:
Code:
FROM registry.redhat.io/ubi8/ubi-minimal:8.6-902.1661794353
RUN setcap CAP_DAC_OVERRIDE=eip /usr/bin/cp
USER nobody
ENTRYPOINT ["/usr/bin/cp", "/etc/os-release", "/"]
Code:
$ docker run --cap-add CAP_DAC_OVERRIDE --rm -it --entrypoint=/bin/bash bf84cc52c20a
bash-4.4$
bash-4.4$
bash-4.4$ getcap /usr/bin/cp
/usr/bin/cp cap_dac_override=eip
bash-4.4$
bash-4.4$
bash-4.4$ /usr/bin/cp /etc/os-release /
cp: cannot create regular file '/os-release': Permission denied
bash-4.4$
bash-4.4$
bash-4.4$ exit