[lxc-devel] [PATCH] templates: improve refusing to run unprivileged
TAMUKI Shoichi
tamuki at linet.gr.jp
Thu Feb 6 10:38:39 UTC 2014
For all templates except lxc-ubuntu-cloud and lxc-download, detect not
only --mapped-uid but also --mapped-gid and error out. Detecting will
not be done after -- parameter because of non-option parameters.
Also, change the mode of lxc-archlinux.in 100755 to 100644.
Signed-off-by: TAMUKI Shoichi <tamuki at linet.gr.jp>
---
templates/lxc-alpine.in | 5 +++--
templates/lxc-altlinux.in | 5 +++--
templates/lxc-archlinux.in | 5 +++--
templates/lxc-busybox.in | 5 +++--
templates/lxc-centos.in | 5 +++--
templates/lxc-cirros.in | 5 +++--
templates/lxc-debian.in | 5 +++--
templates/lxc-fedora.in | 5 +++--
templates/lxc-gentoo.in | 5 +++--
templates/lxc-openmandriva.in | 5 +++--
templates/lxc-opensuse.in | 5 +++--
templates/lxc-oracle.in | 5 +++--
templates/lxc-plamo.in | 5 +++--
templates/lxc-sshd.in | 5 +++--
templates/lxc-ubuntu.in | 5 +++--
15 files changed, 45 insertions(+), 30 deletions(-)
mode change 100755 => 100644 templates/lxc-archlinux.in
diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in
index 232f54b..d1ae9f3 100644
--- a/templates/lxc-alpine.in
+++ b/templates/lxc-alpine.in
@@ -1,8 +1,9 @@
#!/bin/bash
# Detect use under userns (unsupported)
-for arg in $*; do
- if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+ [ "$arg" == "--" ] && break
+ if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
echo "This template can't be used for unprivileged containers." 1>&2
echo "You may want to try the \"download\" template instead." 1>&2
exit 1
diff --git a/templates/lxc-altlinux.in b/templates/lxc-altlinux.in
index 385465c..e64ad24 100644
--- a/templates/lxc-altlinux.in
+++ b/templates/lxc-altlinux.in
@@ -25,8 +25,9 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
# Detect use under userns (unsupported)
-for arg in $*; do
- if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+ [ "$arg" == "--" ] && break
+ if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
echo "This template can't be used for unprivileged containers." 1>&2
echo "You may want to try the \"download\" template instead." 1>&2
exit 1
diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
old mode 100755
new mode 100644
index d394816..d3d5f73
--- a/templates/lxc-archlinux.in
+++ b/templates/lxc-archlinux.in
@@ -26,8 +26,9 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
# Detect use under userns (unsupported)
-for arg in $*; do
- if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+ [ "$arg" == "--" ] && break
+ if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
echo "This template can't be used for unprivileged containers." 1>&2
echo "You may want to try the \"download\" template instead." 1>&2
exit 1
diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index f4aa6c4..dae1541 100644
--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -21,8 +21,9 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
# Detect use under userns (unsupported)
-for arg in $*; do
- if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+ [ "$arg" == "--" ] && break
+ if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
echo "This template can't be used for unprivileged containers." 1>&2
echo "You may want to try the \"download\" template instead." 1>&2
exit 1
diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in
index 1fce0e3..d089a15 100644
--- a/templates/lxc-centos.in
+++ b/templates/lxc-centos.in
@@ -73,8 +73,9 @@ lxc_network_link=lxcbr0
# should be able to use EITHER. Give preference to /etc/os-release for now.
# Detect use under userns (unsupported)
-for arg in $*; do
- if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+ [ "$arg" == "--" ] && break
+ if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
echo "This template can't be used for unprivileged containers." 1>&2
echo "You may want to try the \"download\" template instead." 1>&2
exit 1
diff --git a/templates/lxc-cirros.in b/templates/lxc-cirros.in
index 519013f..24c59a9 100644
--- a/templates/lxc-cirros.in
+++ b/templates/lxc-cirros.in
@@ -22,8 +22,9 @@
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# Detect use under userns (unsupported)
-for arg in $*; do
- if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+ [ "$arg" == "--" ] && break
+ if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
echo "This template can't be used for unprivileged containers." 1>&2
echo "You may want to try the \"download\" template instead." 1>&2
exit 1
diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
index 376e30d..cb19ba4 100644
--- a/templates/lxc-debian.in
+++ b/templates/lxc-debian.in
@@ -21,8 +21,9 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
# Detect use under userns (unsupported)
-for arg in $*; do
- if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+ [ "$arg" == "--" ] && break
+ if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
echo "This template can't be used for unprivileged containers." 1>&2
echo "You may want to try the \"download\" template instead." 1>&2
exit 1
diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
index b8a2339..5ab3852 100644
--- a/templates/lxc-fedora.in
+++ b/templates/lxc-fedora.in
@@ -73,8 +73,9 @@ lxc_network_link=lxcbr0
# should be able to use EITHER. Give preference to /etc/os-release for now.
# Detect use under userns (unsupported)
-for arg in $*; do
- if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+ [ "$arg" == "--" ] && break
+ if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
echo "This template can't be used for unprivileged containers." 1>&2
echo "You may want to try the \"download\" template instead." 1>&2
exit 1
diff --git a/templates/lxc-gentoo.in b/templates/lxc-gentoo.in
index ae67898..e59ed45 100644
--- a/templates/lxc-gentoo.in
+++ b/templates/lxc-gentoo.in
@@ -14,8 +14,9 @@
#
# Detect use under userns (unsupported)
-for arg in $*; do
- if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+ [ "$arg" == "--" ] && break
+ if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
echo "This template can't be used for unprivileged containers." 1>&2
echo "You may want to try the \"download\" template instead." 1>&2
exit 1
diff --git a/templates/lxc-openmandriva.in b/templates/lxc-openmandriva.in
index e5d2b1c..ddc9863 100644
--- a/templates/lxc-openmandriva.in
+++ b/templates/lxc-openmandriva.in
@@ -27,8 +27,9 @@
#
# Detect use under userns (unsupported)
-for arg in $*; do
- if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+ [ "$arg" == "--" ] && break
+ if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
echo "This template can't be used for unprivileged containers." 1>&2
echo "You may want to try the \"download\" template instead." 1>&2
exit 1
diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in
index fb21864..df517a6 100644
--- a/templates/lxc-opensuse.in
+++ b/templates/lxc-opensuse.in
@@ -26,8 +26,9 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
# Detect use under userns (unsupported)
-for arg in $*; do
- if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+ [ "$arg" == "--" ] && break
+ if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
echo "This template can't be used for unprivileged containers." 1>&2
echo "You may want to try the \"download\" template instead." 1>&2
exit 1
diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in
index c114ad8..ae64bc6 100644
--- a/templates/lxc-oracle.in
+++ b/templates/lxc-oracle.in
@@ -28,8 +28,9 @@
#
# Detect use under userns (unsupported)
-for arg in $*; do
- if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+ [ "$arg" == "--" ] && break
+ if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
echo "This template can't be used for unprivileged containers." 1>&2
echo "You may want to try the \"download\" template instead." 1>&2
exit 1
diff --git a/templates/lxc-plamo.in b/templates/lxc-plamo.in
index e9f681e..c8cf3a5 100644
--- a/templates/lxc-plamo.in
+++ b/templates/lxc-plamo.in
@@ -29,8 +29,9 @@
# lxc-ubuntu script
# Detect use under userns (unsupported)
-for arg in $*; do
- if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+ [ "$arg" == "--" ] && break
+ if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
echo "This template can't be used for unprivileged containers." 1>&2
echo "You may want to try the \"download\" template instead." 1>&2
exit 1
diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in
index 397a388..2c3cd7f 100644
--- a/templates/lxc-sshd.in
+++ b/templates/lxc-sshd.in
@@ -21,8 +21,9 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
# Detect use under userns (unsupported)
-for arg in $*; do
- if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+ [ "$arg" == "--" ] && break
+ if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
echo "This template can't be used for unprivileged containers." 1>&2
echo "You may want to try the \"download\" template instead." 1>&2
exit 1
diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index b7f9777..85df042 100644
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -25,8 +25,9 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
# Detect use under userns (unsupported)
-for arg in $*; do
- if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+ [ "$arg" == "--" ] && break
+ if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
echo "This template can't be used for unprivileged containers." 1>&2
echo "You may want to try the \"download\" template instead." 1>&2
exit 1
--
1.8.4.4
More information about the lxc-devel
mailing list