rootlesskit icon indicating copy to clipboard operation
rootlesskit copied to clipboard
verified publisher icon rootless-containers

DAC_OVERRIDE is required to work properly

Open Riktastic opened this issue 3 years ago • 2 comments

Hi there! I am trying to upgrade the security of my docker-compose files by limiting capabilities. The problem I am facing is that many containers require DAC_OVERRIDE to work properly. I've tried to mitigate this by using SETUID/GID and CHOWN while setting the proper UID and GID in the docker-compose.yml. But whatever I try, I will always receive a "Permission denied". It works just fine without specifying any capability drops and when specifying the "drop all" while allowing DAC_OVERRIDE. <any containers will work properly: Navidrome, Audiobookshelf without any capabilities. But many require Postgres or MariaDB. And these two won't work without DAC_OVERRIDE, even when running it for the first time.

I'm scared about the damage DAC_OVERRIDE can cause.

Is there someone who is facing the same issue or might know a solution?

Riktastic avatar Oct 25 '22 09:10 Riktastic

Is this relevant to this repo?

AkihiroSuda avatar Oct 27 '22 21:10 AkihiroSuda

Hi there, I'm still trying to provide a proof-of-concept. Just to verify my theory if my UIDMap starts at 16536 and I assign UID 2002 to my Docker container using the --user parameter, it will run as 16536 + 2002 and access files within a bind mount as 16536 + 2002? @AkihiroSuda

Riktastic avatar Nov 02 '22 14:11 Riktastic