You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "Sheridan Rawlins (Jira)" <ji...@apache.org> on 2020/12/01 07:08:00 UTC

[jira] [Created] (DAEMON-426) CAP_DAC_READ_SEARCH not allowed in containers by default

Sheridan Rawlins created DAEMON-426:
---------------------------------------

             Summary: CAP_DAC_READ_SEARCH not allowed in containers by default
                 Key: DAEMON-426
                 URL: https://issues.apache.org/jira/browse/DAEMON-426
             Project: Commons Daemon
          Issue Type: Bug
          Components: Jsvc
    Affects Versions: 1.2.2
         Environment: Redhat 7; jsvc 1.2.3
            Reporter: Sheridan Rawlins


jsvc tries to get {{CAP_DAC_READ_SEARCH}} capabilities.  The code says [Fix DAEMON-16 by adding CAP_DAC_READ_SEARCH to allow reading /proc/self|https://github.com/apache/commons-daemon/commit/2090bd1586f30f4a72ab192df6b7e7f9f5548922#diff-71c2181bdc541da57b93eb9c43851baa9457ca97e6cf1e9f8ee1c280d273ca5a] but does anyone still need this? It fails on docker containers in kubernetes unless admins allow that capability to be requested.

I tried compiling it without this flag and it seems to run everything just fine - but to not break the masses, perhaps some command line switch could be added to adjust what capabilities are requested generally, or at the very least specifically whether to not alter that CAP_DAC_READ_SEARCH cap.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)