Description of problem:
I am able to start processes in unprivileged container via runuser (but see bug 1120567 about it being broken in docker 1+). However, I do not seem to be able to kill the process from my root shell anymore.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Run # docker run -ti rhel7 /bin/bash
2. In the container install /usr/bin/ps: bash-4.2# yum install -y /usr/bin/ps
3. In the container, run process as different user: bash-4.2# runuser -u ftp sleep 6000 &
4. Get the pid of the sleep process: bash-4.2# ps au | grep sleep
root 33 0.0 0.0 41360 1440 ? S 04:28 0:00 runuser -u ftp sleep 6000
ftp 34 0.0 0.0 4312 360 ? S 04:28 0:00 sleep 6000
root 46 0.0 0.0 9032 672 ? S+ 04:29 0:00 grep sleep
5. Attempt to kill the process: bash-4.2# kill 34 ; echo $?
bash: kill: (34) - Operation not permitted
and process killed.
I can send the signal to the process via runuser: runuser -u ftp kill 34
With docker-1.1.1 I get a different error, basically runuser is failing,
It works if I execute:
docker run --cap-add audit_write --rm -ti fedora /bin/sh
And in this case I don't see a problem with killing the process.
pscap shows the following access.
20785 6386 root sh chown, dac_override, fowner, fsetid, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, audit_write, setfcap, cap_37
I just ran this test with
And it worked fine.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.