Netstat in docker does not show PIDs for processes started as a different user

Question

I am running a network server under the jamq user in Docker.

[root@12af450e8259 /]# su jamq -c '/opt/jboss-amq-7-i0/bin/artemis-service start'
Starting artemis-service
artemis-service is now running (25)

I am then trying to list processes and their listening sockets using netstat as root, but for processes running as different user than me, I only see - instead of PID.

[root@12af450e8259 /]# netstat -nlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1/sshd              
tcp        0      0 0.0.0.0:1883            0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8161          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:5445            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:5672            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:61613           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:61616           0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      1/sshd

I tried adding --privileged onto Docker command line, and that fixes the problem. I then wanted to use more granular capabilities, but I cannot find the right capability.

I tried

docker run --rm --cap-add=SYS_ADMIN --cap-add=NET_ADMIN -it myimage:latest bash

but that does not help.

score 3 · Accepted Answer · answered Apr 03 '20 at 14:27

The required capability is --cap-add=SYS_PTRACE. There are various reports in bugs that netstat needs this capability. For example, Bug 901754 - SELinux is preventing /usr/bin/netstat from using the 'sys_ptrace' capabilities.

The correct command therefore is

docker run --rm --cap-add=SYS_PTRACE -it myimage:latest bash

[root@f9c4b5fa7d1c /]# netstat -nlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:5672            0.0.0.0:*               LISTEN      22/java             
tcp        0      0 0.0.0.0:61613           0.0.0.0:*               LISTEN      22/java             
tcp        0      0 0.0.0.0:61616           0.0.0.0:*               LISTEN      22/java             
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      92/sshd             
tcp        0      0 0.0.0.0:1883            0.0.0.0:*               LISTEN      22/java             
tcp        0      0 127.0.0.1:8161          0.0.0.0:*               LISTEN      22/java             
tcp        0      0 0.0.0.0:5445            0.0.0.0:*               LISTEN      22/java             
tcp6       0      0 :::22                   :::*                    LISTEN      92/sshd             
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path

Note: You should NOT use SYS_PTRACE linux capability in **production**, since it can be abused to gain root access via privilege escalation as mentioned [here](https://blog.pentesteracademy.com/privilege-escalation-by-abusing-sys-ptrace-linux-capability-f6e6ad2a59cc) — Puneeth G R, Aug 20 '23 at 09:00

Netstat in docker does not show PIDs for processes started as a different user

1 Answers1