[lxc-devel] [PATCH] templates: improve refusing to run unprivileged
Stéphane Graber
stgraber at ubuntu.com
Thu Feb 6 15:57:35 UTC 2014
On Thu, Feb 06, 2014 at 07:38:39PM +0900, TAMUKI Shoichi wrote:
> For all templates except lxc-ubuntu-cloud and lxc-download, detect not
> only --mapped-uid but also --mapped-gid and error out. Detecting will
> not be done after -- parameter because of non-option parameters.
>
> Also, change the mode of lxc-archlinux.in 100755 to 100644.
>
I still feel this is unneeded as --mapped-uid will always be passed
alongside --mapped-gid. Those are LXC-internal options so we really
don't have to care about users manually passing either of those, but
whatever, the patch isn't wrong, so if that makes you happy...
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
> Signed-off-by: TAMUKI Shoichi <tamuki at linet.gr.jp>
> ---
> templates/lxc-alpine.in | 5 +++--
> templates/lxc-altlinux.in | 5 +++--
> templates/lxc-archlinux.in | 5 +++--
> templates/lxc-busybox.in | 5 +++--
> templates/lxc-centos.in | 5 +++--
> templates/lxc-cirros.in | 5 +++--
> templates/lxc-debian.in | 5 +++--
> templates/lxc-fedora.in | 5 +++--
> templates/lxc-gentoo.in | 5 +++--
> templates/lxc-openmandriva.in | 5 +++--
> templates/lxc-opensuse.in | 5 +++--
> templates/lxc-oracle.in | 5 +++--
> templates/lxc-plamo.in | 5 +++--
> templates/lxc-sshd.in | 5 +++--
> templates/lxc-ubuntu.in | 5 +++--
> 15 files changed, 45 insertions(+), 30 deletions(-)
> mode change 100755 => 100644 templates/lxc-archlinux.in
>
> diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in
> index 232f54b..d1ae9f3 100644
> --- a/templates/lxc-alpine.in
> +++ b/templates/lxc-alpine.in
> @@ -1,8 +1,9 @@
> #!/bin/bash
>
> # Detect use under userns (unsupported)
> -for arg in $*; do
> - if [ "$arg" == "--mapped-uid" ]; then
> +for arg in "$@"; do
> + [ "$arg" == "--" ] && break
> + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
> echo "This template can't be used for unprivileged containers." 1>&2
> echo "You may want to try the \"download\" template instead." 1>&2
> exit 1
> diff --git a/templates/lxc-altlinux.in b/templates/lxc-altlinux.in
> index 385465c..e64ad24 100644
> --- a/templates/lxc-altlinux.in
> +++ b/templates/lxc-altlinux.in
> @@ -25,8 +25,9 @@
> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>
> # Detect use under userns (unsupported)
> -for arg in $*; do
> - if [ "$arg" == "--mapped-uid" ]; then
> +for arg in "$@"; do
> + [ "$arg" == "--" ] && break
> + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
> echo "This template can't be used for unprivileged containers." 1>&2
> echo "You may want to try the \"download\" template instead." 1>&2
> exit 1
> diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
> old mode 100755
> new mode 100644
> index d394816..d3d5f73
> --- a/templates/lxc-archlinux.in
> +++ b/templates/lxc-archlinux.in
> @@ -26,8 +26,9 @@
> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>
> # Detect use under userns (unsupported)
> -for arg in $*; do
> - if [ "$arg" == "--mapped-uid" ]; then
> +for arg in "$@"; do
> + [ "$arg" == "--" ] && break
> + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
> echo "This template can't be used for unprivileged containers." 1>&2
> echo "You may want to try the \"download\" template instead." 1>&2
> exit 1
> diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
> index f4aa6c4..dae1541 100644
> --- a/templates/lxc-busybox.in
> +++ b/templates/lxc-busybox.in
> @@ -21,8 +21,9 @@
> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>
> # Detect use under userns (unsupported)
> -for arg in $*; do
> - if [ "$arg" == "--mapped-uid" ]; then
> +for arg in "$@"; do
> + [ "$arg" == "--" ] && break
> + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
> echo "This template can't be used for unprivileged containers." 1>&2
> echo "You may want to try the \"download\" template instead." 1>&2
> exit 1
> diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in
> index 1fce0e3..d089a15 100644
> --- a/templates/lxc-centos.in
> +++ b/templates/lxc-centos.in
> @@ -73,8 +73,9 @@ lxc_network_link=lxcbr0
> # should be able to use EITHER. Give preference to /etc/os-release for now.
>
> # Detect use under userns (unsupported)
> -for arg in $*; do
> - if [ "$arg" == "--mapped-uid" ]; then
> +for arg in "$@"; do
> + [ "$arg" == "--" ] && break
> + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
> echo "This template can't be used for unprivileged containers." 1>&2
> echo "You may want to try the \"download\" template instead." 1>&2
> exit 1
> diff --git a/templates/lxc-cirros.in b/templates/lxc-cirros.in
> index 519013f..24c59a9 100644
> --- a/templates/lxc-cirros.in
> +++ b/templates/lxc-cirros.in
> @@ -22,8 +22,9 @@
> # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
>
> # Detect use under userns (unsupported)
> -for arg in $*; do
> - if [ "$arg" == "--mapped-uid" ]; then
> +for arg in "$@"; do
> + [ "$arg" == "--" ] && break
> + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
> echo "This template can't be used for unprivileged containers." 1>&2
> echo "You may want to try the \"download\" template instead." 1>&2
> exit 1
> diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
> index 376e30d..cb19ba4 100644
> --- a/templates/lxc-debian.in
> +++ b/templates/lxc-debian.in
> @@ -21,8 +21,9 @@
> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>
> # Detect use under userns (unsupported)
> -for arg in $*; do
> - if [ "$arg" == "--mapped-uid" ]; then
> +for arg in "$@"; do
> + [ "$arg" == "--" ] && break
> + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
> echo "This template can't be used for unprivileged containers." 1>&2
> echo "You may want to try the \"download\" template instead." 1>&2
> exit 1
> diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
> index b8a2339..5ab3852 100644
> --- a/templates/lxc-fedora.in
> +++ b/templates/lxc-fedora.in
> @@ -73,8 +73,9 @@ lxc_network_link=lxcbr0
> # should be able to use EITHER. Give preference to /etc/os-release for now.
>
> # Detect use under userns (unsupported)
> -for arg in $*; do
> - if [ "$arg" == "--mapped-uid" ]; then
> +for arg in "$@"; do
> + [ "$arg" == "--" ] && break
> + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
> echo "This template can't be used for unprivileged containers." 1>&2
> echo "You may want to try the \"download\" template instead." 1>&2
> exit 1
> diff --git a/templates/lxc-gentoo.in b/templates/lxc-gentoo.in
> index ae67898..e59ed45 100644
> --- a/templates/lxc-gentoo.in
> +++ b/templates/lxc-gentoo.in
> @@ -14,8 +14,9 @@
> #
>
> # Detect use under userns (unsupported)
> -for arg in $*; do
> - if [ "$arg" == "--mapped-uid" ]; then
> +for arg in "$@"; do
> + [ "$arg" == "--" ] && break
> + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
> echo "This template can't be used for unprivileged containers." 1>&2
> echo "You may want to try the \"download\" template instead." 1>&2
> exit 1
> diff --git a/templates/lxc-openmandriva.in b/templates/lxc-openmandriva.in
> index e5d2b1c..ddc9863 100644
> --- a/templates/lxc-openmandriva.in
> +++ b/templates/lxc-openmandriva.in
> @@ -27,8 +27,9 @@
> #
>
> # Detect use under userns (unsupported)
> -for arg in $*; do
> - if [ "$arg" == "--mapped-uid" ]; then
> +for arg in "$@"; do
> + [ "$arg" == "--" ] && break
> + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
> echo "This template can't be used for unprivileged containers." 1>&2
> echo "You may want to try the \"download\" template instead." 1>&2
> exit 1
> diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in
> index fb21864..df517a6 100644
> --- a/templates/lxc-opensuse.in
> +++ b/templates/lxc-opensuse.in
> @@ -26,8 +26,9 @@
> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>
> # Detect use under userns (unsupported)
> -for arg in $*; do
> - if [ "$arg" == "--mapped-uid" ]; then
> +for arg in "$@"; do
> + [ "$arg" == "--" ] && break
> + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
> echo "This template can't be used for unprivileged containers." 1>&2
> echo "You may want to try the \"download\" template instead." 1>&2
> exit 1
> diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in
> index c114ad8..ae64bc6 100644
> --- a/templates/lxc-oracle.in
> +++ b/templates/lxc-oracle.in
> @@ -28,8 +28,9 @@
> #
>
> # Detect use under userns (unsupported)
> -for arg in $*; do
> - if [ "$arg" == "--mapped-uid" ]; then
> +for arg in "$@"; do
> + [ "$arg" == "--" ] && break
> + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
> echo "This template can't be used for unprivileged containers." 1>&2
> echo "You may want to try the \"download\" template instead." 1>&2
> exit 1
> diff --git a/templates/lxc-plamo.in b/templates/lxc-plamo.in
> index e9f681e..c8cf3a5 100644
> --- a/templates/lxc-plamo.in
> +++ b/templates/lxc-plamo.in
> @@ -29,8 +29,9 @@
> # lxc-ubuntu script
>
> # Detect use under userns (unsupported)
> -for arg in $*; do
> - if [ "$arg" == "--mapped-uid" ]; then
> +for arg in "$@"; do
> + [ "$arg" == "--" ] && break
> + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
> echo "This template can't be used for unprivileged containers." 1>&2
> echo "You may want to try the \"download\" template instead." 1>&2
> exit 1
> diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in
> index 397a388..2c3cd7f 100644
> --- a/templates/lxc-sshd.in
> +++ b/templates/lxc-sshd.in
> @@ -21,8 +21,9 @@
> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>
> # Detect use under userns (unsupported)
> -for arg in $*; do
> - if [ "$arg" == "--mapped-uid" ]; then
> +for arg in "$@"; do
> + [ "$arg" == "--" ] && break
> + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
> echo "This template can't be used for unprivileged containers." 1>&2
> echo "You may want to try the \"download\" template instead." 1>&2
> exit 1
> diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
> index b7f9777..85df042 100644
> --- a/templates/lxc-ubuntu.in
> +++ b/templates/lxc-ubuntu.in
> @@ -25,8 +25,9 @@
> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>
> # Detect use under userns (unsupported)
> -for arg in $*; do
> - if [ "$arg" == "--mapped-uid" ]; then
> +for arg in "$@"; do
> + [ "$arg" == "--" ] && break
> + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
> echo "This template can't be used for unprivileged containers." 1>&2
> echo "You may want to try the \"download\" template instead." 1>&2
> exit 1
> --
> 1.8.4.4
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140206/331f28cc/attachment.pgp>
More information about the lxc-devel
mailing list