Check necessity of `CAP_SYS_ADMIN` and `CAP_NET_ADMIN` capabilities. #7

jmuchovej · 2021-05-04T19:23:40Z

Binding to port 53 seems to require CAP_NET_BIND_SERVICE.

Further, having ZeroTier run within the container appears to require CAP_SYS_ADMIN and CAP_NET_ADMIN. Based on my understanding of cap_add – CAP_SYS_ADMIN should include CAP_NET_ADMIN... but, CAP_SYS_ADMIN also gets pretty close to root's capabilities – which (ideally) isn't necessary.

Need to develop a better understanding of CAP_SYS_ADMIN.
Need to develop a better understanding of CAP_NET_ADMIN.
Test what capabilities are required for running CoreDNS, strictly.
Test what capabilities are required for running ZeroTier, strictly.

The text was updated successfully, but these errors were encountered:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Check necessity of `CAP_SYS_ADMIN` and `CAP_NET_ADMIN` capabilities. #7

Check necessity of `CAP_SYS_ADMIN` and `CAP_NET_ADMIN` capabilities. #7

jmuchovej commented May 4, 2021

Check necessity of CAP_SYS_ADMIN and CAP_NET_ADMIN capabilities. #7

Check necessity of CAP_SYS_ADMIN and CAP_NET_ADMIN capabilities. #7

Comments

jmuchovej commented May 4, 2021

Check necessity of `CAP_SYS_ADMIN` and `CAP_NET_ADMIN` capabilities. #7

Check necessity of `CAP_SYS_ADMIN` and `CAP_NET_ADMIN` capabilities. #7