[jira] [Commented] (DAEMON-426) CAP_DAC_READ_SEARCH not allowed in containers by default

Tue, 08 Dec 2020 09:04:04 -0800 


    [ 
https://issues.apache.org/jira/browse/DAEMON-426?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17245997#comment-17245997
 ] 

Mark Thomas commented on DAEMON-426:
------------------------------------

After some digging I think I figured out what is going on.

The -procname option is implemented using execve and that needs the path to the 
binary.

The path to the binary is obtained from /proc/self/exe falling back to argv[0] 
if that fails.

CAP_DAC_READ_SEARCH is required in order to read /proc/self/exe

jsvc fails if any requested capability isn't available.

 

So jsvc fails on docker because CAP_DAC_READ_SEARCH isn't available.

Commenting out CAP_DAC_READ_SEARCH causes the read of /proc/self/exe to fail so 
jsvc falls back to argv[0] which works.

 

I've re-worked the capability code to try and request CAP_DAC_READ_SEARCH but 
to fall back to trying without that capability if the initial request fails.

 

If you could test the current code that would be very helpful.

> CAP_DAC_READ_SEARCH not allowed in containers by default
> --------------------------------------------------------
>
>                 Key: DAEMON-426
>                 URL: https://issues.apache.org/jira/browse/DAEMON-426
>             Project: Commons Daemon
>          Issue Type: Bug
>          Components: Jsvc
>    Affects Versions: 1.2.2
>         Environment: Redhat 7; jsvc 1.2.3
>            Reporter: Sheridan Rawlins
>            Priority: Major
>
> jsvc tries to get {{CAP_DAC_READ_SEARCH}} capabilities.  The code says [Fix 
> DAEMON-16 by adding CAP_DAC_READ_SEARCH to allow reading 
> /proc/self|https://github.com/apache/commons-daemon/commit/2090bd1586f30f4a72ab192df6b7e7f9f5548922#diff-71c2181bdc541da57b93eb9c43851baa9457ca97e6cf1e9f8ee1c280d273ca5a]
>  but does anyone still need this? It fails on docker containers in kubernetes 
> unless admins allow that capability to be requested.
> I tried compiling it without this flag and it seems to run everything just 
> fine - but to not break anyone who might really need this CAP, perhaps some 
> command line switch could be added to adjust what capabilities are requested 
> generally, or at the very least specifically whether to not alter that 
> CAP_DAC_READ_SEARCH cap.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to