I have read the descriptions of these here: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation
And i'm still very confused as to whether these are the same but opposing settings? For instance in OpenShift's restricted SCC we have SETUID as one of the RequiredDropCapabilities. At the same time, in the same SCC, we have allowPrivilegeEscalation\=true.
Is one disallowing processes to be launched under other users but the other one allowing that?
This is what i read on allowPrivilegeEscalation\=true:
This defaults to allowed so as to not break setuid binaries
and for SETUID:
setuid() sets the effective user ID of the calling process
(from http://man7.org/linux/man-pages/man2/setuid.2.html)
Could someone explain this to me please?
A setuid binary is a file that has the 4000 bit flag in its file permissions. While we usually talk about Unix file permissions using just three octal digits (744 or 600, etc), the next the bits are commonly used for suid, sgid, and sticky. A suid executable is automatically setuid()'d to the ID of the owner of the file. This is how tools like sudo work, which require elevated permissions but are run by unprivileged users.