You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Sheridan Rawlins (Jira)" <ji...@apache.org> on 2020/12/01 07:09:00 UTC
[jira] [Updated] (DAEMON-426) CAP_DAC_READ_SEARCH not allowed in
containers by default
[ https://issues.apache.org/jira/browse/DAEMON-426?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sheridan Rawlins updated DAEMON-426:
------------------------------------
Description:
jsvc tries to get {{CAP_DAC_READ_SEARCH}} capabilities. The code says [Fix DAEMON-16 by adding CAP_DAC_READ_SEARCH to allow reading /proc/self|https://github.com/apache/commons-daemon/commit/2090bd1586f30f4a72ab192df6b7e7f9f5548922#diff-71c2181bdc541da57b93eb9c43851baa9457ca97e6cf1e9f8ee1c280d273ca5a] but does anyone still need this? It fails on docker containers in kubernetes unless admins allow that capability to be requested.
I tried compiling it without this flag and it seems to run everything just fine - but to not break anyone who might really need this CAP, perhaps some command line switch could be added to adjust what capabilities are requested generally, or at the very least specifically whether to not alter that CAP_DAC_READ_SEARCH cap.
was:
jsvc tries to get {{CAP_DAC_READ_SEARCH}} capabilities. The code says [Fix DAEMON-16 by adding CAP_DAC_READ_SEARCH to allow reading /proc/self|https://github.com/apache/commons-daemon/commit/2090bd1586f30f4a72ab192df6b7e7f9f5548922#diff-71c2181bdc541da57b93eb9c43851baa9457ca97e6cf1e9f8ee1c280d273ca5a] but does anyone still need this? It fails on docker containers in kubernetes unless admins allow that capability to be requested.
I tried compiling it without this flag and it seems to run everything just fine - but to not break the masses, perhaps some command line switch could be added to adjust what capabilities are requested generally, or at the very least specifically whether to not alter that CAP_DAC_READ_SEARCH cap.
> CAP_DAC_READ_SEARCH not allowed in containers by default
> --------------------------------------------------------
>
> Key: DAEMON-426
> URL: https://issues.apache.org/jira/browse/DAEMON-426
> Project: Commons Daemon
> Issue Type: Bug
> Components: Jsvc
> Affects Versions: 1.2.2
> Environment: Redhat 7; jsvc 1.2.3
> Reporter: Sheridan Rawlins
> Priority: Major
>
> jsvc tries to get {{CAP_DAC_READ_SEARCH}} capabilities. The code says [Fix DAEMON-16 by adding CAP_DAC_READ_SEARCH to allow reading /proc/self|https://github.com/apache/commons-daemon/commit/2090bd1586f30f4a72ab192df6b7e7f9f5548922#diff-71c2181bdc541da57b93eb9c43851baa9457ca97e6cf1e9f8ee1c280d273ca5a] but does anyone still need this? It fails on docker containers in kubernetes unless admins allow that capability to be requested.
> I tried compiling it without this flag and it seems to run everything just fine - but to not break anyone who might really need this CAP, perhaps some command line switch could be added to adjust what capabilities are requested generally, or at the very least specifically whether to not alter that CAP_DAC_READ_SEARCH cap.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)