[lxc-devel] [PATCH 2/2] lxc-busybox: Prevent copying binaries from /usr/local to container

Purcareata Bogdan b43198 at freescale.com
Tue May 5 11:53:12 UTC 2015 

Kind reminder - any comments / feedback on this patchset?

Thank you,
Bogdan P.

On 27.04.2015 12:37, Bogdan Purcareata wrote:
> On some systems, some binaries needed by the container features (dropbear,
> openssh), may be placed in /usr/local/* directories. Since semantically they are
> destined for the local machine only, and it can further imply the associated
> libraries are also available in /usr/local/lib* directories, prevent them from
> being copied in the container rootfs.
>
> The user should only use these binaries if they are installed at system-wide
> locations on the host, such as /{s,}bin or /usr/{s,}bin.
>
> Signed-off-by: Bogdan Purcareata <bogdan.purcareata at freescale.com>
> ---
>   templates/lxc-busybox.in | 42 +++++++++++++++++++++++++++---------------
>   1 file changed, 27 insertions(+), 15 deletions(-)
>
> diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
> index 4f27bd8..6cd570a 100644
> --- a/templates/lxc-busybox.in
> +++ b/templates/lxc-busybox.in
> @@ -38,6 +38,30 @@ am_in_userns() {
>   in_userns=0
>   [ $(am_in_userns) = "yes" ] && in_userns=1
>
> +copy_binary()
> +{
> +    binary_path=`which $1`
> +    if [ $? -ne 0 ]; then
> +        echo "Unable to find $1 binary on the system"
> +        return 1
> +    fi
> +
> +    echo $binary_path | grep "/usr/local" >/dev/null 2>&1
> +    if [ $? -eq 0 ]; then
> +        echo "Binary $1 is located at $binary_path and will not be copied"
> +        echo "(/usr/local path not supported)"
> +        return 1
> +    fi
> +
> +    cp $binary_path $rootfs/$binary_path
> +    if [ $? -ne 0 ]; then
> +        echo "Failed to copy $binary_path to rootfs"
> +        return 1
> +    fi
> +
> +    return 0
> +}
> +
>   install_busybox()
>   {
>       rootfs=$1
> @@ -172,11 +196,7 @@ EOF
>   install_dropbear()
>   {
>       # copy dropbear binary
> -    cp $(which dropbear) $rootfs/usr/sbin
> -    if [ $? -ne 0 ]; then
> -        echo "Failed to copy dropbear in the rootfs"
> -        return 1
> -    fi
> +    copy_binary dropbear || return 1
>
>       # make symlinks to various ssh utilities
>       utils="\
> @@ -232,19 +252,11 @@ $rootfs/var/run/sshd \
>
>       # copy binaries
>       for bin in $server_utils $client_utils; do
> -        tool_path=`which $bin`
> -        cp $tool_path $rootfs/$tool_path
> -        if [ $? -ne 0 ]; then
> -            echo "Unable to copy $tool_path in the rootfs"
> -            return 1
> -        fi
> +        copy_binary $bin || return 1
>       done
>
>       for bin in $client_optional_utils; do
> -        tool_path=`which $bin`
> -        if [ $? -eq 0 ]; then
> -            cp $tool_path $rootfs/$tool_path
> -        fi
> +        tool_path=`which $bin` && copy_binary $bin
>       done
>
>       # add user and group
>

More information about the lxc-devel mailing list