I'm exploring Docker container capabilities and permissions and I'm curious about the implications of dropping the FSETID capability. When I run a Docker container with the --cap-drop FSETID option, I know about the SUID and GUID that are related to file and directory ownership permissions.
Can anyone provide a clear explanation of what the FSETID capability allows within a Docker container by default? What specific actions or operations might be restricted or impacted within the container after dropping the FSETID capability? I've noticed that even when running the Docker container with a non-root user and the --cap-drop FSETID option, I can still change file and folder permissions, and even run commands like passwd. Why is this possible despite the capability being dropped? I'd very thankful if you tell me a scenario that after dropping FSETID capability, it will change compared with the existence of this capability.
I created a new image with docker file below
FROM ubuntu:latest
RUN useradd -m -s /bin/bash myuser
RUN echo 'myuser:mypassword' | chpasswd
RUN apt update && apt install sudo
RUN usermod -aG sudo myuser
USER myuser
CMD ["bash"]
I also created a container with the following command, but I didn't notice any restrictions on the new container.
docker run -it --cap-drop FSETID new_image bash