non-root user's strange privilege on xenial/yakkety
Using docker.io 1.12.6 on xenial or yakkety, I was astonished that non-root users in containers had root equivalent privileges on both container and host (mounted volume) filesystem. On zesty that behavior seems fixed, and docker-ce 17.03.1 on xenial also fixes it.
Is this an Ubuntu specific bug, or expected behavior? I couldn't find any comments about the fix in package changelog or zesty release notes.
In the following I was running docker.io 1.12.6 on cleanly installed yaketty.
$ docker run --rm -it -u 10000:10000 ubuntu:16.04
groups: cannot find name for group ID 10000
I have no name!@e9045b423
uid=10000 gid=10000 groups=10000
I have no name!@e9045b423
I have no name!@e9045b423
I have no name!@e9045b423
total 16
drwx------ 2 root root 4096 May 10 20:46 .
drwxr-xr-x 35 root root 4096 May 10 20:46 ..
-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 10000 10000 0 May 10 20:46 a
More strange stuff was this:
$ docker run --rm -it ubuntu:16.04
root@419a796ec0
root@419a796ec0
ubuntu@
bash: cd: /root: Permission denied
ubuntu@
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu)
docker info:
$ docker info
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 3
Server Version: 1.12.6
Storage Driver: aufs
Root Dir: /var/lib/
Backing Filesystem: extfs
Dirs: 15
Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: null bridge overlay host
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor seccomp
Kernel Version: 4.8.0-51-generic
Operating System: Ubuntu 16.10
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 3.613 GiB
Name: dev-t-yaegashi-004
ID: 7C3U:L7PQ:
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https:/
WARNING: No swap limit support
Insecure Registries:
127.0.0.0/8
I see expected behavior with docker.io 1.12.6 on zesty:
$ docker run --rm -it -u 10000:10000 ubuntu:16.04
groups: cannot find name for group ID 10000
I have no name!@2ee03f8ad
bash: cd: /root: Permission denied
Question information
- Language:
- English Edit question
- Status:
- Answered
- For:
- Ubuntu docker.io Edit question
- Assignee:
- No assignee Edit question
- Last query:
- Last reply:
Can you help with this problem?
Provide an answer of your own, or ask YAEGASHI Takeshi for more information if necessary.