[lxc-devel] [PATCH 2/2] lxc-busybox: Prevent copying binaries from /usr/local to container

Purcareata Bogdan b43198 at freescale.com
Tue May 12 09:49:44 UTC 2015


On 12.05.2015 01:52, Serge Hallyn wrote:
> Quoting Purcareata Bogdan (b43198 at freescale.com):
>> Kind reminder - any comments / feedback on this patchset?
>
> Sorry, I thought I had replied to this?  Namely, you are expressly
> checking for /usr/local, but it might be better to check for the
> paths which you expect to be valid - i.e. not something funky like
> /opt/local.

Thanks! Yes, there was a response related to the subject, but it was before this 
patch, on a different thread. I didn't get the right idea the first time. Fixed 
it now, and sent v2.

Best regards,
Bogdan P.

>> Thank you,
>> Bogdan P.
>>
>> On 27.04.2015 12:37, Bogdan Purcareata wrote:
>>> On some systems, some binaries needed by the container features (dropbear,
>>> openssh), may be placed in /usr/local/* directories. Since semantically they are
>>> destined for the local machine only, and it can further imply the associated
>>> libraries are also available in /usr/local/lib* directories, prevent them from
>>> being copied in the container rootfs.
>>>
>>> The user should only use these binaries if they are installed at system-wide
>>> locations on the host, such as /{s,}bin or /usr/{s,}bin.
>>>
>>> Signed-off-by: Bogdan Purcareata <bogdan.purcareata at freescale.com>
>>> ---
>>>   templates/lxc-busybox.in | 42 +++++++++++++++++++++++++++---------------
>>>   1 file changed, 27 insertions(+), 15 deletions(-)
>>>
>>> diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
>>> index 4f27bd8..6cd570a 100644
>>> --- a/templates/lxc-busybox.in
>>> +++ b/templates/lxc-busybox.in
>>> @@ -38,6 +38,30 @@ am_in_userns() {
>>>   in_userns=0
>>>   [ $(am_in_userns) = "yes" ] && in_userns=1
>>>
>>> +copy_binary()
>>> +{
>>> +    binary_path=`which $1`
>>> +    if [ $? -ne 0 ]; then
>>> +        echo "Unable to find $1 binary on the system"
>>> +        return 1
>>> +    fi
>>> +
>>> +    echo $binary_path | grep "/usr/local" >/dev/null 2>&1
>>> +    if [ $? -eq 0 ]; then
>>> +        echo "Binary $1 is located at $binary_path and will not be copied"
>>> +        echo "(/usr/local path not supported)"
>>> +        return 1
>>> +    fi
>>> +
>>> +    cp $binary_path $rootfs/$binary_path
>>> +    if [ $? -ne 0 ]; then
>>> +        echo "Failed to copy $binary_path to rootfs"
>>> +        return 1
>>> +    fi
>>> +
>>> +    return 0
>>> +}
>>> +
>>>   install_busybox()
>>>   {
>>>       rootfs=$1
>>> @@ -172,11 +196,7 @@ EOF
>>>   install_dropbear()
>>>   {
>>>       # copy dropbear binary
>>> -    cp $(which dropbear) $rootfs/usr/sbin
>>> -    if [ $? -ne 0 ]; then
>>> -        echo "Failed to copy dropbear in the rootfs"
>>> -        return 1
>>> -    fi
>>> +    copy_binary dropbear || return 1
>>>
>>>       # make symlinks to various ssh utilities
>>>       utils="\
>>> @@ -232,19 +252,11 @@ $rootfs/var/run/sshd \
>>>
>>>       # copy binaries
>>>       for bin in $server_utils $client_utils; do
>>> -        tool_path=`which $bin`
>>> -        cp $tool_path $rootfs/$tool_path
>>> -        if [ $? -ne 0 ]; then
>>> -            echo "Unable to copy $tool_path in the rootfs"
>>> -            return 1
>>> -        fi
>>> +        copy_binary $bin || return 1
>>>       done
>>>
>>>       for bin in $client_optional_utils; do
>>> -        tool_path=`which $bin`
>>> -        if [ $? -eq 0 ]; then
>>> -            cp $tool_path $rootfs/$tool_path
>>> -        fi
>>> +        tool_path=`which $bin` && copy_binary $bin
>>>       done
>>>
>>>       # add user and group
>>>
>> _______________________________________________
>> lxc-devel mailing list
>> lxc-devel at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-devel
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
>


More information about the lxc-devel mailing list