Linux capabilities for container to update file atime programmatically

Question

I have a container running as non-privileged mode. I'd like to update file atime via python code for some reason but found I could not do that due to permission issue, even though I can write to that file.

I tried to add linux capabilities to the container, but even with SYS_AMDIN, it still does not work. Anyone happens to know what capabilities to add or what I missed there?

thank you!

bash-5.1$ id 
uid=1000(contest) gid=1000(contest) groups=1000(contest)
bash-5.1$ ls -l
total 250
-rwxrwxrwx    1 root     contest          0 Oct 27 07:16 anotherfile
-rwxrwxrwx    1 root     contest     254823 Oct 27 07:37 outfile
-rwxrwxrwx    1 root     contest          0 Oct 24 03:52 test
-rwxrwxrwx    1 root     contest        364 Oct 27 07:16 test.py
-rwxrwxrwx    1 root     contest         18 Oct 24 05:25 testfile
bash-5.1$ python3 test.py
1666854988.190472
1666851388.190472
Traceback (most recent call last):
  File "/mnt/azurefile/test.py", line 19, in <module>
    os.utime(myfile, (atime - 3600.0, mtime))
PermissionError: [Errno 1] Operation not permitted
bash-5.1$ capsh --print
Current: =
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_admin,cap_mknod,cap_audit_write,cap_setfcap
Ambient set =
Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_lease,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read
Securebits: 00/0x0/1'b0 (no-new-privs=0)
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)
uid=1000(contest) euid=1000(contest)
gid=1000(contest)
groups=1000(contest)
Guessed mode: HYBRID (4)

my python code to update atime:

from datetime import datetime
import os
import time

myfile = "anotherfile"
current_time = time.time()

"""
Set the access time of a given filename to the given atime.
atime must be a datetime object.
"""
stat = os.stat(myfile)
mtime = stat.st_mtime
atime = stat.st_atime

print(mtime)
mtime = mtime - 3600.0
print(mtime)
os.utime(myfile, (atime - 3600.0, mtime))

pod yaml

---
kind: Pod
apiVersion: v1
metadata:
  name: nginx-azurefile
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000
  nodeSelector:
    "kubernetes.io/os": linux
  containers:
    - image: acheng.azurecr.io/capsh
      name: nginx-azurefile
      securityContext:
        capabilities:
          add: ["CHOWN","SYS_ADMIN","SYS_RESOURCES"]
      command:
        - "/bin/bash"
        - "-c"
        - set -euo pipefail; while true; do echo $(date) >> /mnt/azurefile/outfile; sleep 10; done
      volumeMounts:
        - name: persistent-storage
          mountPath: "/mnt/azurefile"
  imagePullSecrets:             
    - name: acr-secret  
  volumes:
    - name: persistent-storage
      persistentVolumeClaim:
        claimName: pvc-azurefile

tried to add SYS_ADMIN capabilities but didn't work. if container runs in privileged mode, the code is able to update file access time as expected

Answer 1

answering my own question here.

After searching around, I found kubernetes does not support capabilities for non-root users. the capabilities added in container spec is for root user only. won't take effect for non-root users. see this github issue for details: https://github.com/kubernetes/kubernetes/issues/56374

a workaround is to add cap directly to the executable file using setcap command (from libcap). and the capability needed is CAP_FOWNER