Podman containers have cap_dac_override but not cap_dac_read_search

[adelton]

I've recently hit an issue https://bugzilla.redhat.com/show_bug.cgi?id=2334087 when removing cap_dac_override and keeping cap_dac_read_search works on host (for a sssd:sssd process to read /etc/krb5.keytab with root:root and -rw-------) but not in containers.

Checking

$ podman run --rm registry.fedoraproject.org/fedora:rawhide capsh --print
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_sys_chroot,cap_setfcap=ep
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_sys_chroot,cap_setfcap
Ambient set =
Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_net_raw,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_write,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Securebits: 00/0x0/1'b0 (no-new-privs=0)
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=
Guessed mode: HYBRID (4)

I see that the container has cap_dac_override but not cap_dac_read_search. Reading capabilities(7) it looks like cap_dac_read_search might be a less "powerful" capability than cap_dac_override. (This is with podman-5.3.1-1.fc41.x86_64. Output with sudo podman is the same.)

Is there a specific reason why podman containers by default enables cap_dac_override but does not add cap_dac_read_search?

[rhatdan]

The original set of capabilities was defined by Docker, which did not include dac_read_search. Podman followed the default, but removed some questionable ones. mknod, net_raw, cap_audit_write.

I would prefer to remove capabilities from the default list, but this would break existing users. For example I see little reason for cap_setpcap and cap_setfcap (Except in the case of building), Not sure of cap_fsetid or cap_fowner either. dac_override has all of the powers of dac_read_search, I believe, so making both defaults, seems of limited value. If you want to remove dac_override, you probably know enough to add dac_read_search.

[adelton]

Thank you.