[lxc-devel] [PATCH 2/2] lxc-busybox: Prevent copying binaries from /usr/local to container
Purcareata Bogdan
b43198 at freescale.com
Tue May 12 09:49:44 UTC 2015
On 12.05.2015 01:52, Serge Hallyn wrote:
> Quoting Purcareata Bogdan (b43198 at freescale.com):
>> Kind reminder - any comments / feedback on this patchset?
>
> Sorry, I thought I had replied to this? Namely, you are expressly
> checking for /usr/local, but it might be better to check for the
> paths which you expect to be valid - i.e. not something funky like
> /opt/local.
Thanks! Yes, there was a response related to the subject, but it was before this
patch, on a different thread. I didn't get the right idea the first time. Fixed
it now, and sent v2.
Best regards,
Bogdan P.
>> Thank you,
>> Bogdan P.
>>
>> On 27.04.2015 12:37, Bogdan Purcareata wrote:
>>> On some systems, some binaries needed by the container features (dropbear,
>>> openssh), may be placed in /usr/local/* directories. Since semantically they are
>>> destined for the local machine only, and it can further imply the associated
>>> libraries are also available in /usr/local/lib* directories, prevent them from
>>> being copied in the container rootfs.
>>>
>>> The user should only use these binaries if they are installed at system-wide
>>> locations on the host, such as /{s,}bin or /usr/{s,}bin.
>>>
>>> Signed-off-by: Bogdan Purcareata <bogdan.purcareata at freescale.com>
>>> ---
>>> templates/lxc-busybox.in | 42 +++++++++++++++++++++++++++---------------
>>> 1 file changed, 27 insertions(+), 15 deletions(-)
>>>
>>> diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
>>> index 4f27bd8..6cd570a 100644
>>> --- a/templates/lxc-busybox.in
>>> +++ b/templates/lxc-busybox.in
>>> @@ -38,6 +38,30 @@ am_in_userns() {
>>> in_userns=0
>>> [ $(am_in_userns) = "yes" ] && in_userns=1
>>>
>>> +copy_binary()
>>> +{
>>> + binary_path=`which $1`
>>> + if [ $? -ne 0 ]; then
>>> + echo "Unable to find $1 binary on the system"
>>> + return 1
>>> + fi
>>> +
>>> + echo $binary_path | grep "/usr/local" >/dev/null 2>&1
>>> + if [ $? -eq 0 ]; then
>>> + echo "Binary $1 is located at $binary_path and will not be copied"
>>> + echo "(/usr/local path not supported)"
>>> + return 1
>>> + fi
>>> +
>>> + cp $binary_path $rootfs/$binary_path
>>> + if [ $? -ne 0 ]; then
>>> + echo "Failed to copy $binary_path to rootfs"
>>> + return 1
>>> + fi
>>> +
>>> + return 0
>>> +}
>>> +
>>> install_busybox()
>>> {
>>> rootfs=$1
>>> @@ -172,11 +196,7 @@ EOF
>>> install_dropbear()
>>> {
>>> # copy dropbear binary
>>> - cp $(which dropbear) $rootfs/usr/sbin
>>> - if [ $? -ne 0 ]; then
>>> - echo "Failed to copy dropbear in the rootfs"
>>> - return 1
>>> - fi
>>> + copy_binary dropbear || return 1
>>>
>>> # make symlinks to various ssh utilities
>>> utils="\
>>> @@ -232,19 +252,11 @@ $rootfs/var/run/sshd \
>>>
>>> # copy binaries
>>> for bin in $server_utils $client_utils; do
>>> - tool_path=`which $bin`
>>> - cp $tool_path $rootfs/$tool_path
>>> - if [ $? -ne 0 ]; then
>>> - echo "Unable to copy $tool_path in the rootfs"
>>> - return 1
>>> - fi
>>> + copy_binary $bin || return 1
>>> done
>>>
>>> for bin in $client_optional_utils; do
>>> - tool_path=`which $bin`
>>> - if [ $? -eq 0 ]; then
>>> - cp $tool_path $rootfs/$tool_path
>>> - fi
>>> + tool_path=`which $bin` && copy_binary $bin
>>> done
>>>
>>> # add user and group
>>>
>> _______________________________________________
>> lxc-devel mailing list
>> lxc-devel at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-devel
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
>
More information about the lxc-devel
mailing list