From 2ae049ad514340cc8a286fb90945be827afbac0d Mon Sep 17 00:00:00 2001
From: Helmut Grohne <helmut@subdivi.de>
Date: Fri, 26 Jan 2024 21:06:05 +0100
Subject: improve examples/chroottar.py

 * Drop supplementary groups. Very likely, those are not mapped inside
   and they cannot cause much good.
 * Sane permission for the root directory. Otherwise no non-root user
   can access any files.
---
 examples/chroottar.py | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'examples/chroottar.py')

diff --git a/examples/chroottar.py b/examples/chroottar.py
index e002ed8..56613de 100755
--- a/examples/chroottar.py
+++ b/examples/chroottar.py
@@ -69,6 +69,7 @@ def main() -> None:
                 setupevent.close()
                 os.setreuid(0, 0)
                 os.setregid(0, 0)
+                os.setgroups([])
                 for tmem in tarf:
                     if tmem.name.removeprefix("./").startswith("dev/"):
                         continue
@@ -91,6 +92,7 @@ def main() -> None:
             [gidmap, linuxnamespaces.IDMapping(65536, os.getgid(), 1)],
         )
         os.chown(tdir, 0, 0)
+        os.chmod(tdir, 0o755)
         setupevent.write()
         setupevent.close()
         _, ret = os.waitpid(pid, 0)
-- 
cgit v1.2.3