improve examples/chroottar.py

* Drop supplementary groups. Very likely, those are not mapped inside and they cannot cause much good. * Sane permission for the root directory. Otherwise no non-root user can access any files.
author: Helmut Grohne <helmut@subdivi.de> 2024-01-26 21:06:05 +0100
committer: Helmut Grohne <helmut@subdivi.de> 2024-01-26 21:06:05 +0100
commit: 2ae049ad514340cc8a286fb90945be827afbac0d (patch)
tree: 77e70e0d7ce408f969a824bb9d48b4d889467ff3
parent: 8341b7159d18aa12e497bd10c33a53fcd93c02c5 (diff)
download: python-linuxnamespaces-2ae049ad514340cc8a286fb90945be827afbac0d.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/examples/chroottar.py b/examples/chroottar.py
index e002ed8..56613de 100755
--- a/examples/chroottar.py
+++ b/examples/chroottar.py
@@ -69,6 +69,7 @@ def main() -> None:
                 setupevent.close()
                 os.setreuid(0, 0)
                 os.setregid(0, 0)
+                os.setgroups([])
                 for tmem in tarf:
                     if tmem.name.removeprefix("./").startswith("dev/"):
                         continue
@@ -91,6 +92,7 @@ def main() -> None:
             [gidmap, linuxnamespaces.IDMapping(65536, os.getgid(), 1)],
         )
         os.chown(tdir, 0, 0)
+        os.chmod(tdir, 0o755)
         setupevent.write()
         setupevent.close()
         _, ret = os.waitpid(pid, 0)
author	Helmut Grohne <helmut@subdivi.de>	2024-01-26 21:06:05 +0100
committer	Helmut Grohne <helmut@subdivi.de>	2024-01-26 21:06:05 +0100
commit	2ae049ad514340cc8a286fb90945be827afbac0d (patch)
tree	77e70e0d7ce408f969a824bb9d48b4d889467ff3
parent	8341b7159d18aa12e497bd10c33a53fcd93c02c5 (diff)
download	python-linuxnamespaces-2ae049ad514340cc8a286fb90945be827afbac0d.tar.gz