Public bug reported: Using docker.io 1.12.6 on xenial or yakkety, I was astonished that non- root users in containers had root equivalent privileges on both container and host (mounted volume) filesystem. On zesty that behavior seems fixed, and docker-ce 17.03.1 on xenial also fixes it.
Is this an Ubuntu specific bug, or expected behavior? I couldn't find any comments about the fix in package changelog or zesty release notes. In the following I was running docker.io 1.12.6 on cleanly installed yaketty. $ docker run --rm -it -u 10000:10000 ubuntu:16.04 groups: cannot find name for group ID 10000 I have no name!@e9045b423102:/$ id uid=10000 gid=10000 groups=10000 I have no name!@e9045b423102:/$ cd /root I have no name!@e9045b423102:/root$ touch a I have no name!@e9045b423102:/root$ ls -la total 16 drwx------ 2 root root 4096 May 10 20:46 . drwxr-xr-x 35 root root 4096 May 10 20:46 .. -rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc -rw-r--r-- 1 root root 148 Aug 17 2015 .profile -rw-r--r-- 1 10000 10000 0 May 10 20:46 a More strange stuff was this: $ docker run --rm -it ubuntu:16.04 root@419a796ec0f2:/# useradd ubuntu root@419a796ec0f2:/# su ubuntu ubuntu@419a796ec0f2:/$ cd /root bash: cd: /root: Permission denied ubuntu@419a796ec0f2:/$ id uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu) docker info: $ docker info Containers: 0 Running: 0 Paused: 0 Stopped: 0 Images: 3 Server Version: 1.12.6 Storage Driver: aufs Root Dir: /var/lib/docker/aufs Backing Filesystem: extfs Dirs: 15 Dirperm1 Supported: true Logging Driver: json-file Cgroup Driver: cgroupfs Plugins: Volume: local Network: null bridge overlay host Swarm: inactive Runtimes: runc Default Runtime: runc Security Options: apparmor seccomp Kernel Version: 4.8.0-51-generic Operating System: Ubuntu 16.10 OSType: linux Architecture: x86_64 CPUs: 1 Total Memory: 3.613 GiB Name: dev-t-yaegashi-004 ID: 7C3U:L7PQ:EI4E:JWS4:7RCV:KWZ5:NPDD:2TIJ:7OOC:TVLZ:FJCO:NZ6K Docker Root Dir: /var/lib/docker Debug Mode (client): false Debug Mode (server): false Registry: https://index.docker.io/v1/ WARNING: No swap limit support Insecure Registries: 127.0.0.0/8 I see expected behavior with docker.io 1.12.6 on zesty: $ docker run --rm -it -u 10000:10000 ubuntu:16.04 groups: cannot find name for group ID 10000 I have no name!@2ee03f8ada45:/$ cd /root bash: cd: /root: Permission denied ** Affects: docker.io (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1690282 Title: non-root user's privilege in containers on xenial/yakkety To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1690282/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs