From 33d52ce39a2ee49b0ca4ef295f8808dabdc80158 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zolt=C3=A1n=20Felleg?= Date: Tue, 4 Jun 2024 14:44:12 +0200 Subject: [PATCH] Updated scripts/update-base.sh (added the unprivilege function). --- scripts/update-base.sh | 84 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) diff --git a/scripts/update-base.sh b/scripts/update-base.sh index 91c7a64..f9bc535 100755 --- a/scripts/update-base.sh +++ b/scripts/update-base.sh @@ -15,6 +15,87 @@ then exit 1 fi +mount_dev_proc_sys() +{ + if [ ! -d $CONTAINER_PATH/rootfs/dev ] + then + mkdir $CONTAINER_PATH/rootfs/dev + fi + if [ ! -d $CONTAINER_PATH/rootfs/proc ] + then + mkdir $CONTAINER_PATH/rootfs/proc + fi + if [ ! -d $CONTAINER_PATH/rootfs/sys ] + then + mkdir $CONTAINER_PATH/rootfs/sys + fi + mount -o bind /dev $CONTAINER_PATH/rootfs/dev + mount -t proc proc $CONTAINER_PATH/rootfs/proc + mount -t sysfs sysfs $CONTAINER_PATH/rootfs/sys +} + +umount_dev_proc_sys() +{ + umount $CONTAINER_PATH/rootfs/dev + umount $CONTAINER_PATH/rootfs/proc + umount $CONTAINER_PATH/rootfs/sys +} + +unprivilege() +{ + find $CONTAINER_PATH/rootfs -perm -u+s >/tmp/us.$$ + find $CONTAINER_PATH/rootfs -perm -g+s >/tmp/gs.$$ + find $CONTAINER_PATH/rootfs -perm -o+t >/tmp/ot.$$ + + PRIV_UID=0 + PRIV_UID_COUNT=$(find $CONTAINER_PATH/rootfs -uid $PRIV_UID | wc -l) + if [ $PRIV_UID_COUNT -gt 0 ] + then + echo "root user files: $PRIV_UID_COUNT" + UNPRIV_UID=$(( $PRIV_UID + 100000 )) + find $CONTAINER_PATH/rootfs -uid $PRIV_UID -print0 | xargs -0 chown --no-dereference $UNPRIV_UID + fi + + PRIV_GID=0 + PRIV_GID_COUNT=$(find $CONTAINER_PATH/rootfs -gid $PRIV_GID | wc -l) + if [ $PRIV_GID_COUNT -gt 0 ] + then + echo "root group files: $PRIV_GID_COUNT" + UNPRIV_GID=$(( $PRIV_GID + 100000 )) + find $CONTAINER_PATH/rootfs -gid $PRIV_GID -print0 | xargs -0 chgrp --no-dereference $UNPRIV_GID + fi + + find $CONTAINER_PATH/rootfs -uid -100000 | while read PRIV_UID_FILE + do + ls --directory -l $PRIV_UID_FILE + PRIV_UID=$(stat --format="%u" $PRIV_UID_FILE) + UNPRIV_UID=$(( $PRIV_UID + 100000 )) + chown --no-dereference $UNPRIV_UID $PRIV_UID_FILE + done + + find $CONTAINER_PATH/rootfs -gid -100000 | while read PRIV_GID_FILE + do + ls --directory -l $PRIV_GID_FILE + PRIV_GID=$(stat --format="%g" $PRIV_GID_FILE) + UNPRIV_GID=$(( $PRIV_GID + 100000 )) + chgrp --no-dereference $UNPRIV_GID $PRIV_GID_FILE + done + + cat /tmp/us.$$ | while read US_NODE + do + chmod u+s $US_NODE + done + cat /tmp/gs.$$ | while read GS_NODE + do + chmod g+s $GS_NODE + done + cat /tmp/ot.$$ | while read OT_NODE + do + chmod o+t $OT_NODE + done + rm --force /tmp/us.$$ /tmp/gs.$$ /tmp/ot.$$ +} + update_packages() { case "$DISTRIBUTION" in @@ -173,6 +254,9 @@ fi echo "Starting at $(date)" +mount_dev_proc_sys update_packages +umount_dev_proc_sys +unprivilege echo "Finishing at $(date)" -- 2.54.0