[lxc-devel] [PATCH 2/2] lxc-busybox: Prevent copying binaries from /usr/local to container
Serge Hallyn
serge.hallyn at ubuntu.com
Mon May 11 22:52:14 UTC 2015
Quoting Purcareata Bogdan (b43198 at freescale.com):
> Kind reminder - any comments / feedback on this patchset?
Sorry, I thought I had replied to this? Namely, you are expressly
checking for /usr/local, but it might be better to check for the
paths which you expect to be valid - i.e. not something funky like
/opt/local.
> Thank you,
> Bogdan P.
>
> On 27.04.2015 12:37, Bogdan Purcareata wrote:
> >On some systems, some binaries needed by the container features (dropbear,
> >openssh), may be placed in /usr/local/* directories. Since semantically they are
> >destined for the local machine only, and it can further imply the associated
> >libraries are also available in /usr/local/lib* directories, prevent them from
> >being copied in the container rootfs.
> >
> >The user should only use these binaries if they are installed at system-wide
> >locations on the host, such as /{s,}bin or /usr/{s,}bin.
> >
> >Signed-off-by: Bogdan Purcareata <bogdan.purcareata at freescale.com>
> >---
> > templates/lxc-busybox.in | 42 +++++++++++++++++++++++++++---------------
> > 1 file changed, 27 insertions(+), 15 deletions(-)
> >
> >diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
> >index 4f27bd8..6cd570a 100644
> >--- a/templates/lxc-busybox.in
> >+++ b/templates/lxc-busybox.in
> >@@ -38,6 +38,30 @@ am_in_userns() {
> > in_userns=0
> > [ $(am_in_userns) = "yes" ] && in_userns=1
> >
> >+copy_binary()
> >+{
> >+ binary_path=`which $1`
> >+ if [ $? -ne 0 ]; then
> >+ echo "Unable to find $1 binary on the system"
> >+ return 1
> >+ fi
> >+
> >+ echo $binary_path | grep "/usr/local" >/dev/null 2>&1
> >+ if [ $? -eq 0 ]; then
> >+ echo "Binary $1 is located at $binary_path and will not be copied"
> >+ echo "(/usr/local path not supported)"
> >+ return 1
> >+ fi
> >+
> >+ cp $binary_path $rootfs/$binary_path
> >+ if [ $? -ne 0 ]; then
> >+ echo "Failed to copy $binary_path to rootfs"
> >+ return 1
> >+ fi
> >+
> >+ return 0
> >+}
> >+
> > install_busybox()
> > {
> > rootfs=$1
> >@@ -172,11 +196,7 @@ EOF
> > install_dropbear()
> > {
> > # copy dropbear binary
> >- cp $(which dropbear) $rootfs/usr/sbin
> >- if [ $? -ne 0 ]; then
> >- echo "Failed to copy dropbear in the rootfs"
> >- return 1
> >- fi
> >+ copy_binary dropbear || return 1
> >
> > # make symlinks to various ssh utilities
> > utils="\
> >@@ -232,19 +252,11 @@ $rootfs/var/run/sshd \
> >
> > # copy binaries
> > for bin in $server_utils $client_utils; do
> >- tool_path=`which $bin`
> >- cp $tool_path $rootfs/$tool_path
> >- if [ $? -ne 0 ]; then
> >- echo "Unable to copy $tool_path in the rootfs"
> >- return 1
> >- fi
> >+ copy_binary $bin || return 1
> > done
> >
> > for bin in $client_optional_utils; do
> >- tool_path=`which $bin`
> >- if [ $? -eq 0 ]; then
> >- cp $tool_path $rootfs/$tool_path
> >- fi
> >+ tool_path=`which $bin` && copy_binary $bin
> > done
> >
> > # add user and group
> >
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list