Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

post-install.sh uses chown, which no longer exists #39

Open
sidm1983 opened this issue Oct 8, 2020 · 12 comments
Open

post-install.sh uses chown, which no longer exists #39

sidm1983 opened this issue Oct 8, 2020 · 12 comments

Comments

@sidm1983
Copy link

sidm1983 commented Oct 8, 2020

Hi, I noticed that the Dockerfile removes a bunch of dangerous commands including chown, but then the post-install.sh script tries to run a chown command on all the app files. Obviously, the command errors out with a chown: not found error message. Is this an issue or am I missing something?
@hazcod
Copy link
Member

hazcod commented Oct 8, 2020

Hi @sidm1983 , can you try with 6969467 ?

@sidm1983
Copy link
Author

sidm1983 commented Oct 8, 2020
edited
Loading

@hazcod I have commented in that commit. It is being deleted further down in the Dockerfile in the command starting at line 73.

@hazcod
Copy link
Member

hazcod commented Oct 8, 2020

Oof, good catch. Fixed in 612ff8f

@sidm1983
Copy link
Author

sidm1983 commented Oct 8, 2020
edited
Loading

@hazcod Thanks for that. Last question, should chown be removed in the post-install.sh script now that it is no longer being deleted in the Dockerfile? I am thinking that it is still a dangerous command and should be deleted as was originally intended. What are you thoughts?

@hazcod
Copy link
Member

hazcod commented Oct 8, 2020

That's a very good point, I've added it in 6c71848

@hazcod hazcod closed this as completed Oct 8, 2020
@sidm1983
Copy link
Author

sidm1983 commented Oct 11, 2020
edited
Loading

@hazcod, so I tested your latest change in 6c71848 and it didn't work for me. This is because chown in alpine is actually a symbolic link to the busybox binary. You will have to change the chown deletion command in the post-install.sh script to the following for it to work:

find / \( -type f -o -type l \) -iname 'chown' -xdev -delete

Now, even though you fix that, there is still the matter of the busybox binary still existing, which means if an unauthorized user gets access to the shell, they can still execute chown (and any other dangerous commands that were deleted) by running busybox chown instead. Not sure if there is a way to prevent busybox from executing certain commands without removing the busybox binary entirely.

Would love to hear your thoughts on this. Thank you.

@sidm1983
Copy link
Author

@hazcod, just wanted to check in to see if you have any thoughts about my comment above. Thank you. 🙂

@hazcod
Copy link
Member

hazcod commented Oct 16, 2020
edited
Loading

Hmm, very good point @sidm1983 . I'm thinking about chmodding busybox to 000 but i'm not sure about the implications.

@hazcod
Copy link
Member

hazcod commented Oct 16, 2020
edited
Loading

I've opened up #42 for work around this.
I guess I need to check for symlinks in all delete scenarios.

@hazcod hazcod reopened this Oct 16, 2020
@sidm1983
Copy link
Author

Hmm, very good point @sidm1983 . I'm thinking about chowning busybox to 000 but i'm not sure about the implications.

Yeah not sure about the implications either. What user is 000?

@hazcod
Copy link
Member

hazcod commented Oct 16, 2020

Correction, I meant chmod ofcourse. :-)

@sidm1983
Copy link
Author

Ah yup, I had a feeling that's what you meant. That could make it hard to do basic troubleshooting on the final docker image. 🤔

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hazcod @sidm1983