mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
67de83e70b
Various dirs in /var/lib/docker contain data that needs to be mounted into a container. For this reason, these dirs are set to be owned by the remapped root user, otherwise there can be permissions issues. However, this uneccessarily exposes these dirs to an unprivileged user on the host. Instead, set the ownership of these dirs to the real root (or rather the UID/GID of dockerd) with 0701 permissions, which allows the remapped root to enter the directories but not read/write to them. The remapped root needs to enter these dirs so the container's rootfs can be configured... e.g. to mount /etc/resolve.conf. This prevents an unprivileged user from having read/write access to these dirs on the host. The flip side of this is now any user can enter these directories. Signed-off-by: Brian Goff <cpuguy83@gmail.com> (cherry picked from commit |
||
---|---|---|
.. | ||
aufs | ||
btrfs | ||
copy | ||
devmapper | ||
graphtest | ||
lcow | ||
overlay | ||
overlay2 | ||
overlayutils | ||
quota | ||
register | ||
vfs | ||
windows | ||
zfs | ||
counter.go | ||
driver.go | ||
driver_freebsd.go | ||
driver_linux.go | ||
driver_test.go | ||
driver_unsupported.go | ||
driver_windows.go | ||
errors.go | ||
fsdiff.go | ||
plugin.go | ||
proxy.go |