Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

capsh doesn't work with the container image which has no /bin/bash #10

Open
mhiramat opened this issue Dec 7, 2016 · 2 comments
Open

capsh doesn't work with the container image which has no /bin/bash #10

mhiramat opened this issue Dec 7, 2016 · 2 comments
Assignees
@mhiramat

Comments

@mhiramat
Copy link
Owner

mhiramat commented Dec 7, 2016

Capsh is a great tool to drop capabilities for preventing jailbreak from chroot.
However, it hardcodes /bin/bash to run(in chrooted rootfs), thus we can not run
containers which don't have /bin/bash.

Maybe we have 3 options;

  • If there is no /bin/bash but /bin/sh, add a wrapper shell script as /bin/bash. (which just exec /bin/sh with given parameters)
  • If there is no /bin/sh, we just fail to run, and warn the reason.
  • Fix capsh (to use /bin/sh or just directly run given command) or make another command.
mhiramat added a commit that referenced this issue Dec 10, 2016
@mhiramat
minc-exec: Check whether /bin/bash exists in rootfs
effadca 
If given rootfs has no /bin/bash, we can not use capsh.
In that case, we warn it before run the command.
This partially fix issue #10.
@mhiramat
Copy link
Owner Author

This commit just avoid using capsh. I would like to try contribute capsh to support -x (exec) mode or make capexec to fix this issue.

@mhiramat
Copy link
Owner Author

mhiramat commented Dec 10, 2016
edited
Loading

See my libcap repository. I committed 2 patches which allow minc to execute given command directly from capsh.

@mhiramat mhiramat self-assigned this Jun 19, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mhiramat mhiramat

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mhiramat