summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHelmut Grohne <helmut@subdivi.de>2024-01-26 21:06:05 +0100
committerHelmut Grohne <helmut@subdivi.de>2024-01-26 21:06:05 +0100
commit2ae049ad514340cc8a286fb90945be827afbac0d (patch)
tree77e70e0d7ce408f969a824bb9d48b4d889467ff3
parent8341b7159d18aa12e497bd10c33a53fcd93c02c5 (diff)
downloadpython-linuxnamespaces-2ae049ad514340cc8a286fb90945be827afbac0d.tar.gz
improve examples/chroottar.py
* Drop supplementary groups. Very likely, those are not mapped inside and they cannot cause much good. * Sane permission for the root directory. Otherwise no non-root user can access any files.
-rwxr-xr-xexamples/chroottar.py2
1 files changed, 2 insertions, 0 deletions
diff --git a/examples/chroottar.py b/examples/chroottar.py
index e002ed8..56613de 100755
--- a/examples/chroottar.py
+++ b/examples/chroottar.py
@@ -69,6 +69,7 @@ def main() -> None:
setupevent.close()
os.setreuid(0, 0)
os.setregid(0, 0)
+ os.setgroups([])
for tmem in tarf:
if tmem.name.removeprefix("./").startswith("dev/"):
continue
@@ -91,6 +92,7 @@ def main() -> None:
[gidmap, linuxnamespaces.IDMapping(65536, os.getgid(), 1)],
)
os.chown(tdir, 0, 0)
+ os.chmod(tdir, 0o755)
setupevent.write()
setupevent.close()
_, ret = os.waitpid(pid, 0)