From d8bd5c79b3cd624a937a3f90a168e2e4c0f69bea Mon Sep 17 00:00:00 2001
From: =?utf8?q?Zolt=C3=A1n=20Felleg?= <zoltan.felleg@userrendszerhaz.hu>
Date: Tue, 4 Jun 2024 14:06:23 +0200
Subject: [PATCH] Updated scripts/c3.sh (added the unprivilege function).

---
 scripts/c3.sh | 142 ++++++++++++++++++++++++++++++++++++++------------
 1 file changed, 109 insertions(+), 33 deletions(-)

diff --git a/scripts/c3.sh b/scripts/c3.sh
index 0bbc214..4e79c05 100755
--- a/scripts/c3.sh
+++ b/scripts/c3.sh
@@ -58,30 +58,47 @@ copy_and_install()
 {
     echo "Copying base container files."
 
-    for FQ_DIRECTORY in $BASE_CONTAINER_PATH/rootfs/*
-    do
-        DIRECTORY=$(basename $FQ_DIRECTORY)
-        case "$DIRECTORY" in
-            "usr")
-                # common for all containers
-                cp --archive --link $FQ_DIRECTORY $CONTAINER_BUILDROOT
-                ;;
-            "dev" | "proc")
-                # already mounted, skip
-                ;;
-            *)
-                # each container must have its own version
-                cp --archive $FQ_DIRECTORY $CONTAINER_BUILDROOT
-                ;;
-        esac
-    done
-    # the rpm database has moved to /usr
-    for DIRECTORY in usr/lib/sysimage
-    do
-        rm --force --recursive $CONTAINER_BUILDROOT/$DIRECTORY
-        cp --archive $BASE_CONTAINER_PATH/rootfs/$DIRECTORY \
-            $CONTAINER_BUILDROOT/$DIRECTORY
-    done
+    if [ "$1" = "btrfs" ]
+    then
+        for FQ_DIRECTORY in $BASE_CONTAINER_PATH/rootfs/*
+        do
+            DIRECTORY=$(basename $FQ_DIRECTORY)
+            case "$DIRECTORY" in
+                "dev" | "proc")
+                    # already mounted, skip
+                    ;;
+                *)
+                    # each container modifies its own version
+                    cp --archive $FQ_DIRECTORY $CONTAINER_BUILDROOT
+                    ;;
+            esac
+        done
+    else
+        for FQ_DIRECTORY in $BASE_CONTAINER_PATH/rootfs/*
+        do
+            DIRECTORY=$(basename $FQ_DIRECTORY)
+            case "$DIRECTORY" in
+                "usr")
+                    # common for all containers
+                    cp --archive --link $FQ_DIRECTORY $CONTAINER_BUILDROOT
+                    ;;
+                "dev" | "proc")
+                    # already mounted, skip
+                    ;;
+                *)
+                    # each container must have its own version
+                    cp --archive $FQ_DIRECTORY $CONTAINER_BUILDROOT
+                    ;;
+            esac
+        done
+        # copy the rpm database separately as it has been moved to /usr
+        for DIRECTORY in usr/lib/sysimage
+        do
+            rm --force --recursive $CONTAINER_BUILDROOT/$DIRECTORY
+            cp --archive $BASE_CONTAINER_PATH/rootfs/$DIRECTORY \
+                $CONTAINER_BUILDROOT/$DIRECTORY
+        done
+    fi
 
     echo "Installing special packages."
 
@@ -226,7 +243,7 @@ populate_c3d()
             | xargs --null chmod 755
         find $CONTAINER_BUILDROOT/c3d -type f -print0 \
             | xargs --null chmod 644
-        chown --recursive root.root $CONTAINER_BUILDROOT/c3d
+        chown --recursive root:root $CONTAINER_BUILDROOT/c3d
     fi
 
     MODE_LIST=$CONTAINER_BUILDROOT/c3d/mode.txt
@@ -257,20 +274,20 @@ set_c3d_ownership()
     OWNER_LIST=$CONTAINER_BUILDROOT/c3d/owner.txt
     if [ -f $OWNER_LIST ]
     then
-        shopt -s nullglob
         grep --invert-match \
              --regexp='^#' \
              --regexp='^$' $OWNER_LIST | while read LINE
         do
-            TGT_OWNER=$(echo "$LINE" | cut -f 1 -d ' ')
-            GLOB_TGT_PATH=$(echo "$LINE" | cut -f 2 -d ' ')
+            SEPARATORS=$(echo $LINE | tr --complement --delete ' ' | wc -c)
+            PATH_FIELD=$(($SEPARATORS + 1))
+            FLAGS_AND_OWNER=$(echo $LINE | cut -f -$SEPARATORS -d ' ')
+            GLOB_TGT_PATH=$(echo $LINE | cut -f $PATH_FIELD -d ' ')
             for BUILDROOT_TGT_PATH in $CONTAINER_BUILDROOT/c3d/$GLOB_TGT_PATH
             do
                 TGT_PATH=$(echo $BUILDROOT_TGT_PATH | sed "s|^$CONTAINER_BUILDROOT||")
-                chroot $CONTAINER_BUILDROOT chown $TGT_OWNER $TGT_PATH
+                chroot $CONTAINER_BUILDROOT chown $FLAGS_AND_OWNER $TGT_PATH
             done
         done
-        shopt -u nullglob
     fi
 
     echo "Set ownership of the container creation and configuration directory files."
@@ -386,7 +403,6 @@ set_variables()
     fi
 
     OLD_CONTAINER_NAME=$(lxc-ls -1 | grep -w "^$CONTAINER_BASENAME")
-    #OLD_CONTAINER_OS=$(echo $OLD_CONTAINER_NAME | sed 's/.*\.\([^\.]*\)$/\1/')
     OLD_CONTAINER_PATH=$LXC_PATH/$OLD_CONTAINER_NAME
     OLD_CONTAINER_BACKUP_PATH=$BACKUPS_PATH/$OLD_CONTAINER_NAME
 
@@ -410,8 +426,10 @@ preinstall()
 
     mkdir $CONTAINER_BUILDROOT/dev
     mkdir $CONTAINER_BUILDROOT/proc
+    mkdir $CONTAINER_BUILDROOT/sys
     mount -o bind /dev $CONTAINER_BUILDROOT/dev
     mount -t proc proc $CONTAINER_BUILDROOT/proc
+    mount -t sysfs sysfs $CONTAINER_BUILDROOT/sys
 
     echo "Finished preinstall phase."
 }
@@ -446,7 +464,7 @@ postinstall()
                     root@${SRC_HOST}:$SRC_PATH $COPY_PATH
             done
         fi
-	if [ -d $POSTINSTALL_PATH/install-data ]
+        if [ -d $POSTINSTALL_PATH/install-data ]
         then
             tar --create \
                 --directory=$POSTINSTALL_PATH \
@@ -473,10 +491,66 @@ postinstall()
 
     umount $CONTAINER_BUILDROOT/dev
     umount $CONTAINER_BUILDROOT/proc
+    umount $CONTAINER_BUILDROOT/sys
 
     echo "Finished postinstall phase."
 }
 
+unprivilege()
+{
+    find $CONTAINER_BUILDROOT -perm -u+s >/tmp/us.$$
+    find $CONTAINER_BUILDROOT -perm -g+s >/tmp/gs.$$
+    find $CONTAINER_BUILDROOT -perm -o+t >/tmp/ot.$$
+
+    PRIV_UID=0
+    PRIV_UID_COUNT=$(find $CONTAINER_BUILDROOT -uid $PRIV_UID | wc -l)
+    if [ $PRIV_UID_COUNT -gt 0 ]
+    then
+        echo "root user files: $PRIV_UID_COUNT"
+        UNPRIV_UID=$(( $PRIV_UID + 100000 ))
+        find $CONTAINER_BUILDROOT -uid $PRIV_UID -print0 | xargs -0 chown --no-dereference $UNPRIV_UID
+    fi
+
+    PRIV_GID=0
+    PRIV_GID_COUNT=$(find $CONTAINER_BUILDROOT -gid $PRIV_GID | wc -l)
+    if [ $PRIV_GID_COUNT -gt 0 ]
+    then
+        echo "root group files: $PRIV_GID_COUNT"
+        UNPRIV_GID=$(( $PRIV_GID + 100000 ))
+        find $CONTAINER_BUILDROOT -gid $PRIV_GID -print0 | xargs -0 chgrp --no-dereference $UNPRIV_GID
+    fi
+
+    find $CONTAINER_BUILDROOT -uid -100000 | while read PRIV_UID_FILE
+    do
+        ls --directory -l $PRIV_UID_FILE
+        PRIV_UID=$(stat --format="%u" $PRIV_UID_FILE)
+        UNPRIV_UID=$(( $PRIV_UID + 100000 ))
+        chown --no-dereference $UNPRIV_UID $PRIV_UID_FILE
+    done
+
+    find $CONTAINER_BUILDROOT -gid -100000 | while read PRIV_GID_FILE
+    do
+        ls --directory -l $PRIV_GID_FILE
+        PRIV_GID=$(stat --format="%g" $PRIV_GID_FILE)
+        UNPRIV_GID=$(( $PRIV_GID + 100000 ))
+        chgrp --no-dereference $UNPRIV_GID $PRIV_GID_FILE
+    done
+
+    cat /tmp/us.$$ | while read US_NODE
+    do
+        chmod u+s $US_NODE
+    done
+    cat /tmp/gs.$$ | while read GS_NODE
+    do
+        chmod g+s $GS_NODE
+    done
+    cat /tmp/ot.$$ | while read OT_NODE
+    do
+        chmod o+t $OT_NODE
+    done
+    rm --force /tmp/us.$$ /tmp/gs.$$ /tmp/ot.$$
+}
+
 firstboot()
 {
     echo "Executing firstboot phase."
@@ -519,12 +593,14 @@ populate_c3d
 
 preinstall
 
-copy_and_install
+copy_and_install ext4
 
 set_c3d_ownership
 
 postinstall
 
+unprivilege
+
 backup_old_container
 
 mv $CONTAINER_BUILD_PATH $CONTAINER_PATH
-- 
2.54.0