[lxc-devel] Followup to: capset fails with userns

Serge Hallyn serge.hallyn at ubuntu.com
Thu Feb 12 03:33:45 UTC 2015


Quoting Christian Brauner (christianvanbrauner at gmail.com):
> Here is the original problem which I'm still
> experiencing with lxc 1.1:
> 
> > w/ userns:
> > [root at fedora2 ~]# setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping
> > Failed to set capabilities on file `/usr/bin/ping' (Operation not permitted)
> > [root at fedora2 ~]# id
> > uid=0(root) gid=0(root) groups=0(root)
> > 
> > w/o userns:
> > [root at fedora2 ~]# setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping
> > [root at fedora2 ~]# getcap /usr/bin/ping
> > /usr/bin/ping = cap_net_admin,cap_net_raw+ep
> > [root at fedora2 ~]# id
> > uid=0(root) gid=0(root) groups=0(root)
> > 
> > every yum install <pkg> where the pkg has file capabilities fails with
> > 
> > Error unpacking rpm package <PKG>
> > error: unpacking of archive failed on file <FILE>: cpio: cap_set_file
> > 
> > is there a way to get this working?
> 
> (posted by Stephan Sachse)
> 
> The relevant threads are:
> https://lists.linuxcontainers.org/pipermail/lxc-devel/2014-February/008220.html
> 
> and:
> https://www.redhat.com/archives/libvir-list/2014-February/msg01545.html
> 
> Has there been a solution to this problem / an acceptable patch? Running Fedora
> Rawhide unprivileged trying to install iputils still shows this behaviour.

The only way I can see this being done safely would be to have capability
sets be annotated with a kuid_t representing the root in the namespace
of the tasks who wrote the capabilities.  Noone is working on this.  If
you want it, you'll need to write the patch and advocate for it.

-serge


More information about the lxc-devel mailing list