Home > Net >  docker dropping capabilities not working as expected?
docker dropping capabilities not working as expected?

Time:11-15

From this docker doc page - https://docs.docker.com/engine/security/#linux-kernel-capabilities

Processes (like web servers) that just need to bind on a port below 1024 do not need to run as root: they can just be granted the net_bind_service.

Below is my Dockerfile -

FROM ubuntu:20.04
#FROM openjdk:11-jre-slim
LABEL description="This is hello-docker app"
LABEL version="1.0.0-snapshot"

#distro specific things before application specific things
#this will be cached, so you have to build with --no-cache option
RUN apt-get update && apt-get install -y openjdk-11-jdk

#just for demo - installed for demo
RUN apt-get install -y sudo
RUN sudo sh -c 'echo root:root | chpasswd'


#ENV APP_HOME /usr/apps
ENV APP_HOME=/myapps
RUN mkdir -p $APP_HOME

#with customuser/appuser
RUN groupadd  appgroup && useradd -g appgroup appuser
#RUN groupadd -g 999 appgroup && useradd -r -u 999 -g appgroup appuser
#COPY --chown=appuser:appgroup hello-docker-0.0.1-SNAPSHOT.jar /

COPY --chown=nobody:nogroup hello-docker-0.0.1-SNAPSHOT.jar $APP_HOME

#documenting that the application exposes these ports
EXPOSE 8080 8081

#switching to non-root user. This is recommended for security purpose
#USER appuser
USER nobody

WORKDIR $APP_HOME
RUN pwd
RUN ls -l

# this command (bash) can be overwritten while running the image using arguments
#CMD ["bash"]

#ENTRYPOINT ["sh", "-c"]
#CMD ["exec java  -jar hello-docker-0.0.1-SNAPSHOT.jar"]

ENTRYPOINT ["java", "-jar", "-Dserver.port=80",  "./hello-docker-0.0.1-SNAPSHOT.jar"]
  1. As, it can be observed - i have switched to nobody user. This user is NOT root. So this user should not be able to bind to any port below 1024 and the container should fail at startup. But it's succeeding and i am able to access the web application on port 80. WHY.

  2. I tried removing the capability explicitly - but still, the container is succeeding. WHY STILL????
    docker run --name hello-docker -it --cap-drop net_bind_service --rm -p 80:80 dockerdemo/hello-docker:1.0
    The container ran successfully even after removing net bind service capability.

Any help is greatly appreciated.

Edit -
Q3 - related to above. The same docker security doc mentioned above points to this page - https://github.com/moby/moby/blob/master/oci/caps/defaults.go#L6-L19 What does default here refer to:> Capabilities granted to any user (root or Not root) or only root user. If only root, then what are capabilities granted to non-root user. None?

CodePudding user response:

You don't have the capability to bind to privileged ports. What has changed is that unprivileged ports don't start at the normal 1024 inside of containers. Instead it's set to 0 so every port is unprivileged. The privileged restriction doesn't make sense for a single user / single application environment.

See this PR for more details: https://github.com/moby/moby/pull/41030

  • Related