How non root user able to listen on priviledge port
I supposed to get a bind exception instead it's binding on privilege port
% docker run --rm -u nobody alpine nc -l 0.0.0.0 443
% docker exec -it b2b471d05398 sh
~ $ id
uid=65534(nobody) gid=65534(nobody)
~ $ ps
PID USER TIME COMMAND
1 nobody 0:00 nc -l 0.0.0.0 443
8 nobody 0:00 sh
15 nobody 0:00 ps
~ $ %
Even tried with another approach by building a Dockerfile
FROM python:latest
COPY index.html /
EXPOSE 80
USER nobody
CMD python -m http.server 80
docker build -t test .
docker run --rm -u nobody test
~ % docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b40c6c33a187 test "/bin/sh -c 'python …" 28 seconds ago Up 27 seconds 80/tcp practical_lumiere
Tried this one too, still it is able to bind port less than 1024
docker run --rm -u nobody --cap-drop=SETUID --cap-drop=NET_BIND_SERVICE --cap-drop=SETFCAP --cap-drop=NET_RAW alpine nc -l 0.0.0.0 443
Solution 1:
The default kernel tuning parameter net.ipv4.ip_unprivileged_port_start
for containers is set to 0
which makes all ports in the docker container unprivileged.
All processes inside the container can bind to any port (of the container) even as an unprivileged user.
With regards to exposing privileged ports as a non-priviliged user on the host OS, see https://docs.docker.com/engine/security/rootless/#exposing-privileged-ports