Block the use of setuid/setgid in containers for dangerous binaries in user namespaces

Solution Verified - Updated -

Issue

  • If running a Docker container with user namespaces support with --cap-drop=all, binaries inside the container can still become root and eventually use setgid/setuid.
    For example:

    # docker run --rm -ti --name setuid_test --cap-drop=all --user 1000:1000 cajga/evil_nginx_image bash
    # I have no name!@c2836c61dd38:/$ ls -l /bash
    -rwsrwxrwx. 1 root root 1099016 Dec  7 20:10 /bash
    # I have no name!@c2836c61dd38:/$ id
    uid=1000 gid=1000 groups=1000
    # I have no name!@c2836c61dd38:/$ /bash -p
    # bash-4.4# id
    uid=1000 gid=1000 euid=0(root) groups=1000
    

Environment

  • Red Hat Enterprise Linux (RHEL) 7
  • Docker

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In