non-root user's strange privilege on xenial/yakkety

Asked by YAEGASHI Takeshi on 2017-05-10

Using 1.12.6 on xenial or yakkety, I was astonished that non-root users in containers had root equivalent privileges on both container and host (mounted volume) filesystem. On zesty that behavior seems fixed, and docker-ce 17.03.1 on xenial also fixes it.

Is this an Ubuntu specific bug, or expected behavior? I couldn't find any comments about the fix in package changelog or zesty release notes.

In the following I was running 1.12.6 on cleanly installed yaketty.

$ docker run --rm -it -u 10000:10000 ubuntu:16.04
groups: cannot find name for group ID 10000
I have no name!@e9045b423102:/$ id
uid=10000 gid=10000 groups=10000
I have no name!@e9045b423102:/$ cd /root
I have no name!@e9045b423102:/root$ touch a
I have no name!@e9045b423102:/root$ ls -la
total 16
drwx------ 2 root root 4096 May 10 20:46 .
drwxr-xr-x 35 root root 4096 May 10 20:46 ..
-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 10000 10000 0 May 10 20:46 a

More strange stuff was this:

$ docker run --rm -it ubuntu:16.04
root@419a796ec0f2:/# useradd ubuntu
root@419a796ec0f2:/# su ubuntu
ubuntu@419a796ec0f2:/$ cd /root
bash: cd: /root: Permission denied
ubuntu@419a796ec0f2:/$ id
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu)

docker info:

$ docker info
Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 3
Server Version: 1.12.6
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 15
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
 Volume: local
 Network: null bridge overlay host
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor seccomp
Kernel Version: 4.8.0-51-generic
Operating System: Ubuntu 16.10
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 3.613 GiB
Name: dev-t-yaegashi-004
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
WARNING: No swap limit support
Insecure Registries:

I see expected behavior with 1.12.6 on zesty:

$ docker run --rm -it -u 10000:10000 ubuntu:16.04
groups: cannot find name for group ID 10000
I have no name!@2ee03f8ada45:/$ cd /root
bash: cd: /root: Permission denied

Question information

English Edit question
Ubuntu Edit question
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said :

I suggest you report a bug. Mark it as a security bug

Revision history for this message
YAEGASHI Takeshi (yaegashi) said :

Can you help with this problem?

Provide an answer of your own, or ask YAEGASHI Takeshi for more information if necessary.

To post a message you must log in.