[2.0 regression] Rootless non-root user capability are no longer added

[TristanCacqueray]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Capabilities set using --cap-add are no longer added to non-root user.

Steps to reproduce the issue:

1. podman run --user 1000 --device /dev/net/tun --cap-add NET_ADMIN fedora getpcaps 1

Describe the results you received:

Capabilities for `1': =

Describe the results you expected:

Capabilities for `1': = cap_net_admin+eip

Additional information you deem important (e.g. issue happens only occasionally):

This got introduced by fe69aa9

[mheon]

@rhatdan PTAL

[TristanCacqueray]

I meant perhaps this is not a regression and that was actually a bug fix, though that would be quite unfortunate as being able to use /dev/net/tun as regular user is quite handy. If this is no longer possible, then podman could fail early when --cap-add is used along with --user instead.

[rhatdan]

podman run --device /dev/net/tun --cap-add NET_ADMIN fedora getpcaps 1
Capabilities for `1': = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip

We add the capability to the bounding set, but not to the individual user.

Is the expected hahavior that --cap-add would add NET_ADMIN to the user process, IE CAPEFF?

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[rhatdan]

@TristanCacqueray Are you still interested in this issue. If so answer my question above, please.

[TristanCacqueray]

@rhatdan I would expect the --cap-add option to be effective for user processes too. Though I am not sure of the implications, and if that's not a good behavior, then perhaps podman could warn about capabilities not being effective with the --user option as this can be a surprising change when updating from podman 1.x.

[dadevel]

@rhatdan: Quickly throwing in my opinion: Yes, exactly like you said. Commands like podman run -it --rm --user nobody --cap-add net_bind_service example/alpine nc -lp 80 or podman run -it --rm --user nobody --cap-add net_admin --network host example/nftables nft list ruleset or podman run -it --rm --user nobody --cap-add sys_rawio --device /dev/sda --device /dev/sdb example/smartmontools smartctl --scan should just work out of the box instead of fiddling with setcap in the image build process.

[rhatdan]

And you are saying this used to work?
If you do this same thing with Docker what happens?

[TristanCacqueray]

@rhatdan I can't tell for Docker, but this used to work with podman 1.x:

$ podman --version
podman version 1.8.2
$ podman run --user 1000 --device /dev/net/tun --cap-add NET_ADMIN fedora getpcaps 1
Capabilities for `1': = cap_net_admin+eip

[dadevel]

@rhatdan: Docker doesn't support it. A related issue was closed without really fixing the problem.

[rhatdan]

Well if we supported this in podman 1.* then this is a regression. I kind of like the idea, for when a user specifies a user.
Would we do the same thing if the user was specified in the image? IE
USER FOOBAR
was listed in the Containerfile?

[dadevel]

Yes, I think so. For example if you have this Dockerfile

FROM alpine
ENTRYPOINT ["nc"]
CMD ["-lp", "80"]
USER nobody

then podman run -it --rm --cap-add net_bind_service me/example and podman run -it --rm --cap-add net_bind_service --user nobody me/example should have the same behavior.

[micah]

FWIW, I ran into this issue. I had a container that had a capability set, and then later when podman was updated, that capability was no longer honored (because of the --user). I was able to rebuild the container and do a setcap there on the binary, but I think it would be useful if this would work again.

[vrothberg]

@rhatdan, can we revive the issue?

[rhatdan]

This has been fixed in master and podman 2.0.6

[nmasse-itix]

Hi there !

While trying to practice what was explained in this article, I stumbled on this issue.

I'm observing this issue on podman 2.1.1, while the previous message says it has been fixed in 2.0.6.

$ podman version
Version:      2.1.1
API Version:  2.0.0
Go Version:   go1.15.2
Built:        Wed Oct  7 18:21:20 2020
OS/Arch:      linux/amd64

When running a container with "--user" and "--cap-add", the capability is added to the bounding set:

$ sudo podman run -d --cap-drop all --cap-add net_bind_service --user nobody:nobody fedora sleep 100
ddd028f8abdbbe2651efdd29a98287223989cc8f5585c0ec8e4cc2decaeb7f89

$ sudo podman top -l capbnd
BOUNDING CAPS
NET_BIND_SERVICE

But is not effective:

$ sudo podman top -l capeff
EFFECTIVE CAPS
none

Can we investigate further why --cap-add is not working with --user ?

[mheon]

@giuseppe PTAL - from my reading of the code it looks like they should be set, after normalizing by adding the CAP_ prefix?

[rhatdan]

Works for me.

#  podman run -d --cap-drop all --cap-add net_bind_service --user nobody:nobody fedora sleep 100
Resolved short name "fedora" to a recorded short-name alias (origin: /etc/containers/registries.conf.d/shortnames.conf)
Trying to pull registry.fedoraproject.org/fedora:latest...
Getting image source signatures
Copying blob 8fde7942e775 done  
Copying config 79fd58dc76 done  
Writing manifest to image destination
Storing signatures
4010af0c8e657c88903b254171e0c6a480167cb764127538e98f25d9475a013e
# podman top -l capeff
EFFECTIVE CAPS
NET_BIND_SERVICE

[micah]

Daniel, what version of podman?

[rhatdan]

$ podman -v
podman version 2.2.0
$ rpm -q podman
podman-2.2.0-1.fc33.x86_64

[micah]

@nmasse-itix it looks like you are using 2.1.1, while this seems to be fixed in 2.2.0 as shown by @rhatdan -- can you try 2.2.0 and see if it fixes your issue?

[nmasse-itix]

Thanks a lot @rhatdan, @micah and @mheon !

I don't know where to get the pre-built RPM as shown by @rhatdan. My stock Fedora 33 is still with podman 2.1.1...

So I downloaded pre-built podman 2.2.0 from https://cirrus-ci.com/task/5997161601040384.

$ sudo mv /usr/bin/podman /usr/bin/podman.old
$ sudo cp Downloads/podman /usr/bin/podman
$ sudo chown root:root /usr/bin/podman
$ sudo chmod 755 /usr/bin/podman

$ podman -v     
podman version 2.2.0

$ podman run -d --cap-drop all --cap-add net_bind_service --user nobody:nobody fedora sleep 100
Completed short name "fedora" with unqualified-search registries (origin: /etc/containers/registries.conf)
Trying to pull registry.fedoraproject.org/fedora:latest...
Getting image source signatures
Copying blob 8fde7942e775 done  
Copying config 79fd58dc76 done  
Writing manifest to image destination
Storing signatures
69bc3a0d7d0b74bcfde7bd59f9d2add7b366e391d86046e413c62f0994a669ae

$ podman top -l capeff
EFFECTIVE CAPS
NET_BIND_SERVICE

I can confirm the bug has been fixed in podman 2.2.0 ! Thanks a lot for your help ! 👍