templates: improve refusing to run unprivileged

For all templates except lxc-ubuntu-cloud and lxc-download, detect not
only --mapped-uid but also --mapped-gid and error out.  Detecting will
not be done after -- parameter because of non-option parameters.

Also, change the mode of lxc-archlinux.in 100755 to 100644.

Signed-off-by: TAMUKI Shoichi <tamuki@linet.gr.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in
index 232f54bd4ac09b481cef63c95239dcba9275cde8..d1ae9f3ff0da70434d8c9cb91598411b3c8be29b 100644 (file)
--- a/templates/lxc-alpine.in
+++ b/templates/lxc-alpine.in
@@ -1,8 +1,9 @@
 #!/bin/bash
 
 # Detect use under userns (unsupported)
-for arg in $*; do
-    if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+    [ "$arg" == "--" ] && break
+    if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
         echo "This template can't be used for unprivileged containers." 1>&2
         echo "You may want to try the \"download\" template instead." 1>&2
         exit 1

diff --git a/templates/lxc-altlinux.in b/templates/lxc-altlinux.in
index 385465c1b453649231ef034b7b72dafca1b50095..e64ad24c6fd8ac6379987cb23276e82059937b17 100644 (file)
--- a/templates/lxc-altlinux.in
+++ b/templates/lxc-altlinux.in
@@ -25,8 +25,9 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 
 # Detect use under userns (unsupported)
-for arg in $*; do
-    if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+    [ "$arg" == "--" ] && break
+    if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
         echo "This template can't be used for unprivileged containers." 1>&2
         echo "You may want to try the \"download\" template instead." 1>&2
         exit 1

diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
old mode 100755 (executable)
new mode 100644 (file)
index d394816..d3d5f73
--- a/templates/lxc-archlinux.in
+++ b/templates/lxc-archlinux.in
@@ -26,8 +26,9 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 
 # Detect use under userns (unsupported)
-for arg in $*; do
-    if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+    [ "$arg" == "--" ] && break
+    if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
         echo "This template can't be used for unprivileged containers." 1>&2
         echo "You may want to try the \"download\" template instead." 1>&2
         exit 1

diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index f4aa6c40e1771fd1e8807fd8c1f9a4482352435b..dae154121e68e96a78a46d57540b40542f92aefe 100644 (file)
--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -21,8 +21,9 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 
 # Detect use under userns (unsupported)
-for arg in $*; do
-    if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+    [ "$arg" == "--" ] && break
+    if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
         echo "This template can't be used for unprivileged containers." 1>&2
         echo "You may want to try the \"download\" template instead." 1>&2
         exit 1

diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in
index 1fce0e3b406d34768a3f5bc0a18ca427f400ef1f..d089a15575706cdb1722af6e5bed80e24acafd34 100644 (file)
--- a/templates/lxc-centos.in
+++ b/templates/lxc-centos.in
@@ -73,8 +73,9 @@ lxc_network_link=lxcbr0
 # should be able to use EITHER.  Give preference to /etc/os-release for now.
 
 # Detect use under userns (unsupported)
-for arg in $*; do
-    if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+    [ "$arg" == "--" ] && break
+    if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
         echo "This template can't be used for unprivileged containers." 1>&2
         echo "You may want to try the \"download\" template instead." 1>&2
         exit 1

diff --git a/templates/lxc-cirros.in b/templates/lxc-cirros.in
index 519013f5c9b9d2cee456beb4c3c8ddfeee0eb91e..24c59a9c1e8b1c532f17102444df5ae93c750c75 100644 (file)
--- a/templates/lxc-cirros.in
+++ b/templates/lxc-cirros.in
@@ -22,8 +22,9 @@
 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 
 # Detect use under userns (unsupported)
-for arg in $*; do
-    if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+    [ "$arg" == "--" ] && break
+    if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
         echo "This template can't be used for unprivileged containers." 1>&2
         echo "You may want to try the \"download\" template instead." 1>&2
         exit 1

diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
index 376e30d441ebd3e93fa2299dac6a87c30b637a78..cb19ba4842b627ad1be8ca5e19cec51a3e03dc3d 100644 (file)
--- a/templates/lxc-debian.in
+++ b/templates/lxc-debian.in
@@ -21,8 +21,9 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 
 # Detect use under userns (unsupported)
-for arg in $*; do
-    if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+    [ "$arg" == "--" ] && break
+    if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
         echo "This template can't be used for unprivileged containers." 1>&2
         echo "You may want to try the \"download\" template instead." 1>&2
         exit 1

diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
index b8a233956c552b80e14adad3bddaea0af8338fc7..5ab3852aba643d5c3257b66812c9a10dcb49e18f 100644 (file)
--- a/templates/lxc-fedora.in
+++ b/templates/lxc-fedora.in
@@ -73,8 +73,9 @@ lxc_network_link=lxcbr0
 # should be able to use EITHER.  Give preference to /etc/os-release for now.
 
 # Detect use under userns (unsupported)
-for arg in $*; do
-    if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+    [ "$arg" == "--" ] && break
+    if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
         echo "This template can't be used for unprivileged containers." 1>&2
         echo "You may want to try the \"download\" template instead." 1>&2
         exit 1

diff --git a/templates/lxc-gentoo.in b/templates/lxc-gentoo.in
index ae6789877ec156986c6d56fdf5dc96d91523b40c..e59ed457226444a3b8bef54ced21a0326fed123e 100644 (file)
--- a/templates/lxc-gentoo.in
+++ b/templates/lxc-gentoo.in
@@ -14,8 +14,9 @@
 #
 
 # Detect use under userns (unsupported)
-for arg in $*; do
-    if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+    [ "$arg" == "--" ] && break
+    if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
         echo "This template can't be used for unprivileged containers." 1>&2
         echo "You may want to try the \"download\" template instead." 1>&2
         exit 1

diff --git a/templates/lxc-openmandriva.in b/templates/lxc-openmandriva.in
index e5d2b1cd4a0c7b7be2c9883897c78f26f9ee3727..ddc9863fa1969c5e8a007d8b217819b170507ddf 100644 (file)
--- a/templates/lxc-openmandriva.in
+++ b/templates/lxc-openmandriva.in
@@ -27,8 +27,9 @@
 #
 
 # Detect use under userns (unsupported)
-for arg in $*; do
-    if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+    [ "$arg" == "--" ] && break
+    if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
         echo "This template can't be used for unprivileged containers." 1>&2
         echo "You may want to try the \"download\" template instead." 1>&2
         exit 1

diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in
index fb2186412ed47bf7e2291a6bf4ee12929af2f61e..df517a699e36b504a575c04f6642a08a5dd2a834 100644 (file)
--- a/templates/lxc-opensuse.in
+++ b/templates/lxc-opensuse.in
@@ -26,8 +26,9 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 
 # Detect use under userns (unsupported)
-for arg in $*; do
-    if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+    [ "$arg" == "--" ] && break
+    if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
         echo "This template can't be used for unprivileged containers." 1>&2
         echo "You may want to try the \"download\" template instead." 1>&2
         exit 1

diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in
index c114ad8352053a987fee0517ebefb7702dbc9815..ae64bc6345d837f9db4d715845131f0643eec141 100644 (file)
--- a/templates/lxc-oracle.in
+++ b/templates/lxc-oracle.in
@@ -28,8 +28,9 @@
 #
 
 # Detect use under userns (unsupported)
-for arg in $*; do
-    if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+    [ "$arg" == "--" ] && break
+    if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
         echo "This template can't be used for unprivileged containers." 1>&2
         echo "You may want to try the \"download\" template instead." 1>&2
         exit 1

diff --git a/templates/lxc-plamo.in b/templates/lxc-plamo.in
index e9f681e99ba26b0ea469dede61499d393766296a..c8cf3a50798ced87ccffeda4af22c86c51b31814 100644 (file)
--- a/templates/lxc-plamo.in
+++ b/templates/lxc-plamo.in
@@ -29,8 +29,9 @@
 #      lxc-ubuntu script
 
 # Detect use under userns (unsupported)
-for arg in $*; do
-    if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+    [ "$arg" == "--" ] && break
+    if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
         echo "This template can't be used for unprivileged containers." 1>&2
         echo "You may want to try the \"download\" template instead." 1>&2
         exit 1

diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in
index 397a388fe3fd10ceb25df141377e4300fd9ee57f..2c3cd7fc93b5a0adf49bce40a86bf70c7a99a97a 100644 (file)
--- a/templates/lxc-sshd.in
+++ b/templates/lxc-sshd.in
@@ -21,8 +21,9 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 
 # Detect use under userns (unsupported)
-for arg in $*; do
-    if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+    [ "$arg" == "--" ] && break
+    if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
         echo "This template can't be used for unprivileged containers." 1>&2
         echo "You may want to try the \"download\" template instead." 1>&2
         exit 1

diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index b7f9777c91e8f09786fe59715d3b8b186f01655f..85df042fae03d8324478a9c38e937ea14216049e 100644 (file)
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -25,8 +25,9 @@
 #  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 
 # Detect use under userns (unsupported)
-for arg in $*; do
-    if [ "$arg" == "--mapped-uid" ]; then
+for arg in "$@"; do
+    [ "$arg" == "--" ] && break
+    if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then
         echo "This template can't be used for unprivileged containers." 1>&2
         echo "You may want to try the \"download\" template instead." 1>&2
         exit 1