Ubuntu
docker.io package

non-root user's strange privilege on xenial/yakkety

Asked by YAEGASHI Takeshi

Using docker.io 1.12.6 on xenial or yakkety, I was astonished that non-root users in containers had root equivalent privileges on both container and host (mounted volume) filesystem. On zesty that behavior seems fixed, and docker-ce 17.03.1 on xenial also fixes it.

Is this an Ubuntu specific bug, or expected behavior? I couldn't find any comments about the fix in package changelog or zesty release notes.

In the following I was running docker.io 1.12.6 on cleanly installed yaketty.

$ docker run --rm -it -u 10000:10000 ubuntu:16.04
groups: cannot find name for group ID 10000
I have no name!@e9045b423102:/$ id
uid=10000 gid=10000 groups=10000
I have no name!@e9045b423102:/$ cd /root
I have no name!@e9045b423102:/root$ touch a
I have no name!@e9045b423102:/root$ ls -la
total 16
drwx------ 2 root root 4096 May 10 20:46 .
drwxr-xr-x 35 root root 4096 May 10 20:46 ..
-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 10000 10000 0 May 10 20:46 a

More strange stuff was this:

$ docker run --rm -it ubuntu:16.04
root@419a796ec0f2:/# useradd ubuntu
root@419a796ec0f2:/# su ubuntu
ubuntu@419a796ec0f2:/$ cd /root
bash: cd: /root: Permission denied
ubuntu@419a796ec0f2:/$ id
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu)

docker info:

$ docker info
Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 3
Server Version: 1.12.6
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 15
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: null bridge overlay host
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor seccomp
Kernel Version: 4.8.0-51-generic
Operating System: Ubuntu 16.10
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 3.613 GiB
Name: dev-t-yaegashi-004
ID: 7C3U:L7PQ:EI4E:JWS4:7RCV:KWZ5:NPDD:2TIJ:7OOC:TVLZ:FJCO:NZ6K
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Insecure Registries:
 127.0.0.0/8

I see expected behavior with docker.io 1.12.6 on zesty:

$ docker run --rm -it -u 10000:10000 ubuntu:16.04
groups: cannot find name for group ID 10000
I have no name!@2ee03f8ada45:/$ cd /root
bash: cd: /root: Permission denied

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu docker.io Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

I suggest you report a bug. Mark it as a security bug

Revision history for this message
YAEGASHI Takeshi (yaegashi) said : 		#2

Thanks. Filed as https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1690282

Can you help with this problem?

Provide an answer of your own, or ask YAEGASHI Takeshi for more information if necessary.

To post a message you must log in.