Bug 1012952
Summary: | docker: error: unpacking of archive failed on file /usr/sbin/suexec: cpio: cap_set_file | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Marek Goldmann <mgoldman> | ||||||
Component: | docker-io | Assignee: | Lokesh Mandvekar <lsm5> | ||||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | rawhide | CC: | bressers, dwalsh, goeran, jkeck, lsm5, mattdm, mgoldman | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2013-10-31 05:19:29 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Marek Goldmann
2013-09-27 12:35:41 UTC
Created attachment 803970 [details]
strace from rpm installation of httpd in a container
Attaching a strace log where where can see that the issue is in setting "security.capability" attribute with the "\x01\x00\x00\x02\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" value for /usr/sbin/suexec file.
=====================
ioctl(1, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
lstat("/usr/sbin/suexec", {st_mode=S_IFREG|0510, st_size=19456, ...}) = 0
lstat("/usr/sbin/suexec", {st_mode=S_IFREG|0510, st_size=19456, ...}) = 0
removexattr("/usr/sbin/suexec", "security.capability") = -1 EPERM (Operation not permitted)
rename("/usr/sbin/suexec;52458e7c", "/usr/sbin/suexec") = 0
getuid() = 0
getuid() = 0
chown("/usr/sbin/suexec", 0, 48) = 0
chmod("/usr/sbin/suexec", 0510) = 0
utime("/usr/sbin/suexec", [2013/09/27-13:22:45, 2013/09/27-13:22:45]) = 0
getuid() = 0
capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = 0
lstat("/usr/sbin/suexec", {st_mode=S_IFREG|0510, st_size=19456, ...}) = 0
setxattr("/usr/sbin/suexec", "security.capability", "\x01\x00\x00\x02\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 20, 0) = -1 EPERM (Operation not permitted)
close(23) = 0
munmap(0x7f4a8238d000, 4096
=====================
The filesystem is mounted like this:
/dev/mapper/docker-39fbe6132eb8f36bf6ef24024b0762ddc28a145f26f944ad16d827addd3a2916 on / type ext4 (rw,relatime,discard,stripe=64,data=ordered)
I think that this is related to blocking linux capabilities: https://github.com/dotcloud/docker/blob/5a01f7485c6df95f747e08d2cad3d4c934b811bc/lxc_template.go#L114 Especially we see there "setfcap" listed which is required to run setxattr() on files. Maybe we can drop "setfcap" from the template to make it work? BTW: There is a different option: "lxc.cap.drop" coming: http://sourceforge.net/mailarchive/message.php?msg_id=31054627 We need someone with security expertise to review, but I think the general sense is that allowing setfcap in non-privileged mode should be okay. Created attachment 804061 [details]
Remove setfcap from lxc.cap.drop
I can confirm that removing setfcap from lxc.cap.drop fixes this issue. I'm attaching a patch that can be applied against Rawhide directly.
Hope someone can confirm that it's safe to do so.
I would not confirm that it is safe. BUT, since you are allowing setting a file to 4755 ROOT/ROOT, this is less unsafe, although I always believed that adding setuid or setgid permissions on a file should be governed by setfcap... We do not currently allow this in virt-sandbox containers, but we don't do installs there. "less unsafe" seems like the magic words here. I have applied this patch and a docker-io package is available in my repo: http://goldmann.fedorapeople.org/repos/docker.repo Grab version >= 0.6.3-2. |