Skip to content
This repository was archived by the owner on May 6, 2022. It is now read-only.
This repository was archived by the owner on May 6, 2022. It is now read-only.

Check necessity of CAP_SYS_ADMIN and CAP_NET_ADMIN capabilities. #7

Open
Open
Check necessity of CAP_SYS_ADMIN and CAP_NET_ADMIN capabilities.#7
@jmuchovej

Description

@jmuchovej
jmuchovej
opened on May 4, 2021

Binding to port 53 seems to require CAP_NET_BIND_SERVICE.

Further, having ZeroTier run within the container appears to require CAP_SYS_ADMIN and CAP_NET_ADMIN. Based on my understanding of cap_addCAP_SYS_ADMIN should include CAP_NET_ADMIN... but, CAP_SYS_ADMIN also gets pretty close to root's capabilities – which (ideally) isn't necessary.

  • Need to develop a better understanding of CAP_SYS_ADMIN.
  • Need to develop a better understanding of CAP_NET_ADMIN.
  • Test what capabilities are required for running CoreDNS, strictly.
  • Test what capabilities are required for running ZeroTier, strictly.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions