[lxc-devel] [PATCH v2 2/2] lxc-busybox: Prevent copying binaries from /usr/local to container

Serge Hallyn serge.hallyn at ubuntu.com
Wed May 13 14:44:26 UTC 2015 

Quoting Bogdan Purcareata (bogdan.purcareata at freescale.com):
> On certain systems, some binaries needed by the container features (dropbear,
> openssh), may be placed in non-standard (aka non-distribution-managed
> locations), such as /usr/local/*, /opt/local/*, etc. Don't copy the respective
> binaries in the container and return a clear error why.
> 
> The user should only use these binaries if they are installed at system-wide
> locations on the host, such as /{s,}bin or /usr/{s,}bin.
> 
> v2:
> - check that binary paths adhere to /{,usr/}{,s}bin only
> 
> Signed-off-by: Bogdan Purcareata <bogdan.purcareata at freescale.com>

Thanks!

Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>

> ---
>  templates/lxc-busybox.in | 43 ++++++++++++++++++++++++++++---------------
>  1 file changed, 28 insertions(+), 15 deletions(-)
> 
> diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
> index 17a3006..c020e66 100644
> --- a/templates/lxc-busybox.in
> +++ b/templates/lxc-busybox.in
> @@ -38,6 +38,31 @@ am_in_userns() {
>  in_userns=0
>  [ $(am_in_userns) = "yes" ] && in_userns=1
>  
> +copy_binary()
> +{
> +    binary_path=`which $1`
> +    if [ $? -ne 0 ]; then
> +        echo "Unable to find $1 binary on the system"
> +        return 1
> +    fi
> +
> +    dir_path="${binary_path%/*}"
> +    echo /{,usr/}{,s}bin | grep $dir_path >/dev/null 2>&1
> +    if [ $? -ne 0 ]; then
> +        echo "Binary $1 is located at $binary_path and will not be copied"
> +        echo "($dir_path not supported)"
> +        return 1
> +    fi
> +
> +    cp $binary_path $rootfs/$binary_path
> +    if [ $? -ne 0 ]; then
> +        echo "Failed to copy $binary_path to rootfs"
> +        return 1
> +    fi
> +
> +    return 0
> +}
> +
>  install_busybox()
>  {
>      rootfs=$1
> @@ -164,11 +189,7 @@ EOF
>  install_dropbear()
>  {
>      # copy dropbear binary
> -    cp $(which dropbear) $rootfs/usr/sbin
> -    if [ $? -ne 0 ]; then
> -        echo "Failed to copy dropbear in the rootfs"
> -        return 1
> -    fi
> +    copy_binary dropbear || return 1
>  
>      # make symlinks to various ssh utilities
>      utils="\
> @@ -224,19 +245,11 @@ $rootfs/var/run/sshd \
>  
>      # copy binaries
>      for bin in $server_utils $client_utils; do
> -        tool_path=`which $bin`
> -        cp $tool_path $rootfs/$tool_path
> -        if [ $? -ne 0 ]; then
> -            echo "Unable to copy $tool_path in the rootfs"
> -            return 1
> -        fi
> +        copy_binary $bin || return 1
>      done
>  
>      for bin in $client_optional_utils; do
> -        tool_path=`which $bin`
> -        if [ $? -eq 0 ]; then
> -            cp $tool_path $rootfs/$tool_path
> -        fi
> +        tool_path=`which $bin` && copy_binary $bin
>      done
>  
>      # add user and group
> -- 
> 2.1.4
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

More information about the lxc-devel mailing list