From: TAMUKI Shoichi Date: Thu, 6 Feb 2014 10:38:39 +0000 (+0900) Subject: templates: improve refusing to run unprivileged X-Git-Tag: lxc-1.0.0.beta4~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c63c04fcaf1c3a78c70500eae253d72fa9c8358a;p=thirdparty%2Flxc.git templates: improve refusing to run unprivileged For all templates except lxc-ubuntu-cloud and lxc-download, detect not only --mapped-uid but also --mapped-gid and error out. Detecting will not be done after -- parameter because of non-option parameters. Also, change the mode of lxc-archlinux.in 100755 to 100644. Signed-off-by: TAMUKI Shoichi Acked-by: Stéphane Graber --- diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in index 232f54bd4..d1ae9f3ff 100644 --- a/templates/lxc-alpine.in +++ b/templates/lxc-alpine.in @@ -1,8 +1,9 @@ #!/bin/bash # Detect use under userns (unsupported) -for arg in $*; do - if [ "$arg" == "--mapped-uid" ]; then +for arg in "$@"; do + [ "$arg" == "--" ] && break + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then echo "This template can't be used for unprivileged containers." 1>&2 echo "You may want to try the \"download\" template instead." 1>&2 exit 1 diff --git a/templates/lxc-altlinux.in b/templates/lxc-altlinux.in index 385465c1b..e64ad24c6 100644 --- a/templates/lxc-altlinux.in +++ b/templates/lxc-altlinux.in @@ -25,8 +25,9 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA # Detect use under userns (unsupported) -for arg in $*; do - if [ "$arg" == "--mapped-uid" ]; then +for arg in "$@"; do + [ "$arg" == "--" ] && break + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then echo "This template can't be used for unprivileged containers." 1>&2 echo "You may want to try the \"download\" template instead." 1>&2 exit 1 diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in old mode 100755 new mode 100644 index d394816f1..d3d5f73c2 --- a/templates/lxc-archlinux.in +++ b/templates/lxc-archlinux.in @@ -26,8 +26,9 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA # Detect use under userns (unsupported) -for arg in $*; do - if [ "$arg" == "--mapped-uid" ]; then +for arg in "$@"; do + [ "$arg" == "--" ] && break + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then echo "This template can't be used for unprivileged containers." 1>&2 echo "You may want to try the \"download\" template instead." 1>&2 exit 1 diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in index f4aa6c40e..dae154121 100644 --- a/templates/lxc-busybox.in +++ b/templates/lxc-busybox.in @@ -21,8 +21,9 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA # Detect use under userns (unsupported) -for arg in $*; do - if [ "$arg" == "--mapped-uid" ]; then +for arg in "$@"; do + [ "$arg" == "--" ] && break + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then echo "This template can't be used for unprivileged containers." 1>&2 echo "You may want to try the \"download\" template instead." 1>&2 exit 1 diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in index 1fce0e3b4..d089a1557 100644 --- a/templates/lxc-centos.in +++ b/templates/lxc-centos.in @@ -73,8 +73,9 @@ lxc_network_link=lxcbr0 # should be able to use EITHER. Give preference to /etc/os-release for now. # Detect use under userns (unsupported) -for arg in $*; do - if [ "$arg" == "--mapped-uid" ]; then +for arg in "$@"; do + [ "$arg" == "--" ] && break + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then echo "This template can't be used for unprivileged containers." 1>&2 echo "You may want to try the \"download\" template instead." 1>&2 exit 1 diff --git a/templates/lxc-cirros.in b/templates/lxc-cirros.in index 519013f5c..24c59a9c1 100644 --- a/templates/lxc-cirros.in +++ b/templates/lxc-cirros.in @@ -22,8 +22,9 @@ # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Detect use under userns (unsupported) -for arg in $*; do - if [ "$arg" == "--mapped-uid" ]; then +for arg in "$@"; do + [ "$arg" == "--" ] && break + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then echo "This template can't be used for unprivileged containers." 1>&2 echo "You may want to try the \"download\" template instead." 1>&2 exit 1 diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index 376e30d44..cb19ba484 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -21,8 +21,9 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA # Detect use under userns (unsupported) -for arg in $*; do - if [ "$arg" == "--mapped-uid" ]; then +for arg in "$@"; do + [ "$arg" == "--" ] && break + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then echo "This template can't be used for unprivileged containers." 1>&2 echo "You may want to try the \"download\" template instead." 1>&2 exit 1 diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in index b8a233956..5ab3852ab 100644 --- a/templates/lxc-fedora.in +++ b/templates/lxc-fedora.in @@ -73,8 +73,9 @@ lxc_network_link=lxcbr0 # should be able to use EITHER. Give preference to /etc/os-release for now. # Detect use under userns (unsupported) -for arg in $*; do - if [ "$arg" == "--mapped-uid" ]; then +for arg in "$@"; do + [ "$arg" == "--" ] && break + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then echo "This template can't be used for unprivileged containers." 1>&2 echo "You may want to try the \"download\" template instead." 1>&2 exit 1 diff --git a/templates/lxc-gentoo.in b/templates/lxc-gentoo.in index ae6789877..e59ed4572 100644 --- a/templates/lxc-gentoo.in +++ b/templates/lxc-gentoo.in @@ -14,8 +14,9 @@ # # Detect use under userns (unsupported) -for arg in $*; do - if [ "$arg" == "--mapped-uid" ]; then +for arg in "$@"; do + [ "$arg" == "--" ] && break + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then echo "This template can't be used for unprivileged containers." 1>&2 echo "You may want to try the \"download\" template instead." 1>&2 exit 1 diff --git a/templates/lxc-openmandriva.in b/templates/lxc-openmandriva.in index e5d2b1cd4..ddc9863fa 100644 --- a/templates/lxc-openmandriva.in +++ b/templates/lxc-openmandriva.in @@ -27,8 +27,9 @@ # # Detect use under userns (unsupported) -for arg in $*; do - if [ "$arg" == "--mapped-uid" ]; then +for arg in "$@"; do + [ "$arg" == "--" ] && break + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then echo "This template can't be used for unprivileged containers." 1>&2 echo "You may want to try the \"download\" template instead." 1>&2 exit 1 diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in index fb2186412..df517a699 100644 --- a/templates/lxc-opensuse.in +++ b/templates/lxc-opensuse.in @@ -26,8 +26,9 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA # Detect use under userns (unsupported) -for arg in $*; do - if [ "$arg" == "--mapped-uid" ]; then +for arg in "$@"; do + [ "$arg" == "--" ] && break + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then echo "This template can't be used for unprivileged containers." 1>&2 echo "You may want to try the \"download\" template instead." 1>&2 exit 1 diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in index c114ad835..ae64bc634 100644 --- a/templates/lxc-oracle.in +++ b/templates/lxc-oracle.in @@ -28,8 +28,9 @@ # # Detect use under userns (unsupported) -for arg in $*; do - if [ "$arg" == "--mapped-uid" ]; then +for arg in "$@"; do + [ "$arg" == "--" ] && break + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then echo "This template can't be used for unprivileged containers." 1>&2 echo "You may want to try the \"download\" template instead." 1>&2 exit 1 diff --git a/templates/lxc-plamo.in b/templates/lxc-plamo.in index e9f681e99..c8cf3a507 100644 --- a/templates/lxc-plamo.in +++ b/templates/lxc-plamo.in @@ -29,8 +29,9 @@ # lxc-ubuntu script # Detect use under userns (unsupported) -for arg in $*; do - if [ "$arg" == "--mapped-uid" ]; then +for arg in "$@"; do + [ "$arg" == "--" ] && break + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then echo "This template can't be used for unprivileged containers." 1>&2 echo "You may want to try the \"download\" template instead." 1>&2 exit 1 diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in index 397a388fe..2c3cd7fc9 100644 --- a/templates/lxc-sshd.in +++ b/templates/lxc-sshd.in @@ -21,8 +21,9 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA # Detect use under userns (unsupported) -for arg in $*; do - if [ "$arg" == "--mapped-uid" ]; then +for arg in "$@"; do + [ "$arg" == "--" ] && break + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then echo "This template can't be used for unprivileged containers." 1>&2 echo "You may want to try the \"download\" template instead." 1>&2 exit 1 diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index b7f9777c9..85df042fa 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -25,8 +25,9 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA # Detect use under userns (unsupported) -for arg in $*; do - if [ "$arg" == "--mapped-uid" ]; then +for arg in "$@"; do + [ "$arg" == "--" ] && break + if [ "$arg" == "--mapped-uid" -o "$arg" == "--mapped-gid" ]; then echo "This template can't be used for unprivileged containers." 1>&2 echo "You may want to try the \"download\" template instead." 1>&2 exit 1