Bug 1120579 - As root in unprivileged container, cannot kill process of different user
Summary: As root in unprivileged container, cannot kill process of different user
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks: 1109938
TreeView+ depends on / blocked
 
Reported: 2014-07-17 08:32 UTC by Jan Pazdziora
Modified: 2019-03-06 01:15 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-18 20:46:22 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1266 normal SHIPPED_LIVE docker bug fix and enhancement update 2014-09-19 00:45:12 UTC

Description Jan Pazdziora 2014-07-17 08:32:47 UTC
Description of problem:

I am able to start processes in unprivileged container via runuser (but see bug 1120567 about it being broken in docker 1+). However, I do not seem to be able to kill the process from my root shell anymore.

Version-Release number of selected component (if applicable):

docker-0.11.1-22.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Run # docker run -ti rhel7 /bin/bash
2. In the container install /usr/bin/ps: bash-4.2# yum install -y /usr/bin/ps
3. In the container, run process as different user: bash-4.2# runuser -u ftp sleep 6000 &
4. Get the pid of the sleep process: bash-4.2# ps au | grep sleep
root        33  0.0  0.0  41360  1440 ?        S    04:28   0:00 runuser -u ftp sleep 6000
ftp         34  0.0  0.0   4312   360 ?        S    04:28   0:00 sleep 6000
root        46  0.0  0.0   9032   672 ?        S+   04:29   0:00 grep sleep
5. Attempt to kill the process: bash-4.2# kill 34 ; echo $?

Actual results:

bash: kill: (34) - Operation not permitted
1

Expected results:

0

and process killed.

Additional info:

I can send the signal to the process via runuser: runuser -u ftp kill 34

Comment 2 Daniel Walsh 2014-07-22 17:33:21 UTC
With docker-1.1.1 I get a different error, basically runuser is failing,

It works if I execute:

docker run --cap-add audit_write --rm -ti fedora /bin/sh

And in this case I don't see a problem with killing the process.

pscap shows the following access.

20785 6386  root        sh                chown, dac_override, fowner, fsetid, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, audit_write, setfcap, cap_37

Comment 3 Daniel Walsh 2014-07-24 13:36:15 UTC
I just ran this test with

docker-1.1.1-3.el7.x86_64

And it worked fine.

Comment 5 errata-xmlrpc 2014-09-18 20:46:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1266.html


Note You need to log in before you can comment on or make changes to this bug.