From 2ae049ad514340cc8a286fb90945be827afbac0d Mon Sep 17 00:00:00 2001 From: Helmut Grohne Date: Fri, 26 Jan 2024 21:06:05 +0100 Subject: improve examples/chroottar.py * Drop supplementary groups. Very likely, those are not mapped inside and they cannot cause much good. * Sane permission for the root directory. Otherwise no non-root user can access any files. --- examples/chroottar.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/examples/chroottar.py b/examples/chroottar.py index e002ed8..56613de 100755 --- a/examples/chroottar.py +++ b/examples/chroottar.py @@ -69,6 +69,7 @@ def main() -> None: setupevent.close() os.setreuid(0, 0) os.setregid(0, 0) + os.setgroups([]) for tmem in tarf: if tmem.name.removeprefix("./").startswith("dev/"): continue @@ -91,6 +92,7 @@ def main() -> None: [gidmap, linuxnamespaces.IDMapping(65536, os.getgid(), 1)], ) os.chown(tdir, 0, 0) + os.chmod(tdir, 0o755) setupevent.write() setupevent.close() _, ret = os.waitpid(pid, 0) -- cgit v1.2.3