See https://github.com/docker/docker/issues/27590 Seems to be fixed in 1.12.3 Changelog is here: https://github.com/docker/docker/releases/tag/v1.12.3
Only affects 1.12.2 which is not stable
This should to be reopened; it was not properly fixed. On the current gentoo release, with "app-emulation/runc-1.0.0_rc2-r2::gentoo", I can repro it with the following: $ docker run --user 1000:1000 fedora sh -c 'capsh --print; echo; ls /root' Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap Securebits: 00/0x0/1'b0 secure-noroot: no (unlocked) secure-no-suid-fixup: no (unlocked) secure-keep-caps: no (unlocked) uid=1000(???) gid=1000(???) groups= anaconda-ks.cfg original-ks.cfg This is CVE-2016-8867. This can see by the fact that uid 1000 can read /root and that capsh shows I have effective cap_fowner. This will be fixed by applying the patch I've posted at https://github.com/gentoo/gentoo/pull/4058 After updating runc to the "-r3" included in that pr, the above command gives the following: $ docker run --user 1000:1000 fedora sh -c 'capsh --print; echo; ls /root' Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+i Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap Securebits: 00/0x0/1'b0 secure-noroot: no (unlocked) secure-no-suid-fixup: no (unlocked) secure-keep-caps: no (unlocked) uid=1000(???) gid=1000(???) groups= ls: cannot open directory '/root': Permission denied Note the lack of "+eip" for capabilities and that filesystem permissions now work.
I added a snapshot named runc-1.0.0_rc2_p20170222 which picks up latest changes from master. This should be good to go until upstream decides to release rc3.
Please open a request with a new bug detailing the runc issue.