From 1badff22413405eda8e787f59950bc2ec7625f1a Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Thu, 15 Oct 2020 16:26:28 -0700 Subject: [PATCH] safer/simpler uid/gid mapping w/ reduced build privs --- Makefile | 8 +++--- config/container/Dockerfile | 50 +------------------------------------ scripts/host-env | 21 ++++++++++++++++ 3 files changed, 26 insertions(+), 53 deletions(-) create mode 100755 scripts/host-env diff --git a/Makefile b/Makefile index 2347fa9..1caa23c 100644 --- a/Makefile +++ b/Makefile @@ -111,7 +111,7 @@ sign: $(RELEASE_DIR)/*.rom $(RELEASE_DIR)/*.iso .PHONY: shell shell: $(docker) inspect "$(NAME)" \ - && $(docker) exec --interactive --tty "$(NAME)" shell \ + && $(docker) exec --interactive --user=root --tty "$(NAME)" shell \ || $(contain) shell @@ -119,7 +119,7 @@ shell: menuconfig: $(contain) menuconfig -.PHONY: menuconfig +.PHONY: linux-menuconfig linux-menuconfig: $(contain) linux-menuconfig @@ -163,7 +163,6 @@ contain := \ --interactive \ --name "$(NAME)" \ --hostname "$(NAME)" \ - --user $(userid):$(groupid) \ --env TARGET="$(TARGET)" \ --env DEVICES="$(DEVICES)" \ --env GIT_DATETIME="$(GIT_DATETIME)" \ @@ -172,7 +171,8 @@ contain := \ --env GIT_AUTHOR="$(GIT_AUTHOR)" \ --env GIT_KEY="$(GIT_KEY)" \ --env GIT_STATE="$(GIT_STATE)" \ - --security-opt seccomp=unconfined \ + --env UID="$(shell id -u)" \ + --env GID="$(shell id -g)" \ --volume $(PWD)/build:/home/build/build \ --volume $(PWD)/config:/home/build/config \ --volume $(PWD)/release:/home/build/release \ diff --git a/config/container/Dockerfile b/config/container/Dockerfile index 23c7e8e..dbfe091 100644 --- a/config/container/Dockerfile +++ b/config/container/Dockerfile @@ -1,39 +1,4 @@ ARG DEBIAN_IMAGE_HASH=4ab3309ba955211d1db92f405be609942b595a720de789286376f030502ffd6f -ARG GOLANG_IMAGE_HASH=84349ee862d8bafff35e0d2bfd539da565b536b4dfce654773fc21a1db2da6d7 - -FROM golang@sha256:${GOLANG_IMAGE_HASH} as gotools - -ARG FIXUID_GIT_REF="0ec93d22e52bde5b7326e84cb62fd26a3d20cead" -ARG OZZOCONFIG_GIT_REF="0ff174cf5aa6480026e0b40c14fd9cfb61c4abf6" -ARG JSONPREPROCESS_GIT_REF="a4e954386171be645f1eb7c41865d2624b69259d" -ARG TOML_GIT_REF="3012a1dbe2e4bd1391d42b32f0577cb7bbc7f005" -ARG YAMLV2_GIT_REF="51d6538a90f86fe93ac480b35f37b2be17fef232" -ARG GLIDE_GIT_REF="b94b39d657d8abcccba6545e148f1201aee6ffec" - -RUN apk add bash git make - -RUN printf "\ -github.com/boxboat/fixuid.git github.com/boxboat/fixuid ${FIXUID_GIT_REF} \n\ -github.com/go-ozzo/ozzo-config github.com/go-ozzo/ozzo-config ${OZZOCONFIG_GIT_REF} \n\ -github.com/hnakamur/jsonpreprocess github.com/hnakamur/jsonpreprocess ${JSONPREPROCESS_GIT_REF} \n\ -github.com/BurntSushi/toml github.com/BurntSushi/toml ${TOML_GIT_REF} \n\ -github.com/go-yaml/yaml gopkg.in/yaml.v2 ${YAMLV2_GIT_REF} \n" \ -> /go/src/repos - -RUN echo ' \ - set -o nounset -o pipefail -o errexit; \ - cat /go/src/repos | while read -r line; do \ - repo=$(echo $line | awk "{ print \$1 }"); \ - folder=$(echo $line | awk "{ print \$2 }"); \ - ref=$(echo $line | awk "{ print \$3 }"); \ - git clone "https://${repo}" "/go/src/${folder}"; \ - git -C "/go/src/${folder}" checkout ${ref}; \ - done' \ -| bash - -RUN go build -o /usr/local/bin/fixuid github.com/boxboat/fixuid - - FROM debian@sha256:${DEBIAN_IMAGE_HASH} as debian ENV DEBIAN_FRONTEND=noninteractive \ @@ -43,14 +8,6 @@ ENV DEBIAN_FRONTEND=noninteractive \ HOME=/home/build \ PATH=/home/build/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin -## Setup fixuid for mounting host-dirs with correct permissions during dev -COPY --from=gotools /usr/local/bin/ /usr/local/bin/ -RUN chown root:root /usr/local/bin/fixuid \ - && chmod 4755 /usr/local/bin/fixuid \ - && mkdir -p /etc/fixuid \ - && printf "user: build\ngroup: build\npaths:\n - /\n - /home/build/build\n" > /etc/fixuid/config.yml -ENTRYPOINT ["/usr/local/bin/fixuid", "-q"] - ADD scripts/ /usr/local/bin/ ## Install packages from packages.list with retry @@ -59,11 +16,6 @@ ADD config/container/packages.list /etc/apt/packages.list ADD config/container/apt.conf /etc/apt/apt.conf RUN apt-install -## Create build user with sudo privs -RUN useradd -G plugdev,sudo -ms /bin/bash build \ - && chown -R build:build /home/build \ - && echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers - WORKDIR /home/build -USER build +ENTRYPOINT ["/usr/local/bin/host-env"] diff --git a/scripts/host-env b/scripts/host-env new file mode 100755 index 0000000..803f380 --- /dev/null +++ b/scripts/host-env @@ -0,0 +1,21 @@ +#!/bin/bash +set -e +set -x + +uid=${UID?} +gid=${GID?} +user=${USER:-"build"} +export HOME="/home/${user}" + +groupadd -g "$gid" "${user}" +useradd \ + -g "$gid" \ + -u "$uid" \ + -md "/home/${user}" \ + -s /bin/bash \ + "${user}" + +mkdir -p "$HOME" +chown -R "$uid:$gid" "$HOME" +cd "$HOME" +setpriv --reuid="$uid" --regid="$gid" --init-groups "$@"