tern
tern copied to clipboard
tern-tools
Allow for rootless mount and inspection for single layer container images
Problem Statement
It is possible for a non-root user to mount a filesystem and run commands against it using unshare. It isn't possible to do this using overlayfs (unless you were using ubuntu's modified kernel). There are container images out there that are built with no layers, i.e., they have a single filesystem. So it is possible to run tern as a non-root user if the container only has one filesytem tarball.
Describe the Proposal Allow tern to run as a non-root user when running single filesystem container images.
Steps to Implement Proposal We use overlay mount throughout the analysis. We can use the rootless mount for the first layer and then for subsequent layers use overlay mount as root.
- First find how to mount and chroot in the user namespace
- Have one function for the first layer mount and then another function for the multiple layer mount. Only ask for sudo privileges when the container has multiple layers.
I think this might be related to this issue (let me know if not and I can open a new issue) but I'd like to be able to use some functionality of tern without requiring sudo:
2021-08-27 21:30:11,896 - DEBUG - rootfs - Running command: sudo chmod +x /home/vanessa/Desktop/Code/radiuss-docker/env/lib/python3.8/site-packages/tern/tools/fs_hash.sh
I wanted to try out tern but stopped when I hit here.
@vsoch Looking into this. Hopefully, by the end of this, tern will not need to invoke sudo...
@vsoch you should now be able to use tern in a docker or podman container without needing sudo. Would this work for you?
I'm in an environment where the home dir is mounted on nfs with a squashed root. The chmod will not work when elevated to root. Why is that being run in that way?
