examples/chroottar.py: harden against tars with high uids

author: Helmut Grohne <helmut@subdivi.de> 2024-01-31 08:06:47 +0100
committer: Helmut Grohne <helmut@subdivi.de> 2024-01-31 08:06:47 +0100
commit: a169f51420795a212c3226f455e783ab8ac5cf47 (patch)
tree: 1cfad5a25e1d87102b2a1fac90f36e732d57fb98
parent: fe2cc26b5080a4ded33db67183bd5ef0c3e991b4 (diff)
download: python-linuxnamespaces-a169f51420795a212c3226f455e783ab8ac5cf47.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/examples/chroottar.py b/examples/chroottar.py
index 8b374d1..89db0b1 100755
--- a/examples/chroottar.py
+++ b/examples/chroottar.py
@@ -122,6 +122,14 @@ def main() -> None:
                 for tmem in tarf:
                     if tmem.name.removeprefix("./").startswith("dev/"):
                         continue
+                    # Our namespace has privileged uids allocated high. Hence
+                    # clamp unpacking.
+                    if tmem.uid >= 65536 or tmem.gid >= 65536:
+                        tmem.mode &= ~0o7000
+                    if tmem.uid >= 65536:
+                        tmem.uid = 0
+                    if tmem.gid >= 65536:
+                        tmem.gid = 0
                     tarf.extract(tmem, numeric_owner=True)
             linuxnamespaces.bind_mount(".", "/mnt", recursive=True)
             os.chdir("/mnt")
author	Helmut Grohne <helmut@subdivi.de>	2024-01-31 08:06:47 +0100
committer	Helmut Grohne <helmut@subdivi.de>	2024-01-31 08:06:47 +0100
commit	a169f51420795a212c3226f455e783ab8ac5cf47 (patch)
tree	1cfad5a25e1d87102b2a1fac90f36e732d57fb98
parent	fe2cc26b5080a4ded33db67183bd5ef0c3e991b4 (diff)
download	python-linuxnamespaces-a169f51420795a212c3226f455e783ab8ac5cf47.tar.gz