mincs capsh doesn't work with the container image which has no /bin/bash

capsh doesn't work with the container image which has no /bin/bash

Open mhiramat opened this issue 8 years ago • 2 comments

Capsh is a great tool to drop capabilities for preventing jailbreak from chroot. However, it hardcodes /bin/bash to run(in chrooted rootfs), thus we can not run containers which don't have /bin/bash.

Maybe we have 3 options;

If there is no /bin/bash but /bin/sh, add a wrapper shell script as /bin/bash. (which just exec /bin/sh with given parameters)
If there is no /bin/sh, we just fail to run, and warn the reason.
Fix capsh (to use /bin/sh or just directly run given command) or make another command.

Dec 07 '16 02:12 mhiramat

This commit just avoid using capsh. I would like to try contribute capsh to support -x (exec) mode or make capexec to fix this issue.

Dec 10 '16 03:12 mhiramat

See my libcap repository. I committed 2 patches which allow minc to execute given command directly from capsh.

Dec 10 '16 14:12 mhiramat

mincs mincs copied to clipboard

capsh doesn't work with the container image which has no /bin/bash

mincs
mincs copied to clipboard