summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHelmut Grohne <helmut@subdivi.de>2024-01-31 08:06:47 +0100
committerHelmut Grohne <helmut@subdivi.de>2024-01-31 08:06:47 +0100
commita169f51420795a212c3226f455e783ab8ac5cf47 (patch)
tree1cfad5a25e1d87102b2a1fac90f36e732d57fb98
parentfe2cc26b5080a4ded33db67183bd5ef0c3e991b4 (diff)
downloadpython-linuxnamespaces-a169f51420795a212c3226f455e783ab8ac5cf47.tar.gz
examples/chroottar.py: harden against tars with high uids
-rwxr-xr-xexamples/chroottar.py8
1 files changed, 8 insertions, 0 deletions
diff --git a/examples/chroottar.py b/examples/chroottar.py
index 8b374d1..89db0b1 100755
--- a/examples/chroottar.py
+++ b/examples/chroottar.py
@@ -122,6 +122,14 @@ def main() -> None:
for tmem in tarf:
if tmem.name.removeprefix("./").startswith("dev/"):
continue
+ # Our namespace has privileged uids allocated high. Hence
+ # clamp unpacking.
+ if tmem.uid >= 65536 or tmem.gid >= 65536:
+ tmem.mode &= ~0o7000
+ if tmem.uid >= 65536:
+ tmem.uid = 0
+ if tmem.gid >= 65536:
+ tmem.gid = 0
tarf.extract(tmem, numeric_owner=True)
linuxnamespaces.bind_mount(".", "/mnt", recursive=True)
os.chdir("/mnt")