rpms/toolbox
7
0
Fork 0
Code Issues Pull Requests Releases Activity
77d14fb821
toolbox/toolbox-Don-t-validate-subordinate-IDs-when-generat.patch

150 lines
4.8 KiB
Diff
Raw Normal View History

Update to 0.0.99.4 ... and fix CVE-2022-3064. Resolves: #2164981, #2165744
2023-04-04 15:20:11 +00:00
From 52de8d4a933ab6a4b1b6ef1c02c7e9f1f834c4a5 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <rishi@fedoraproject.org>
Date: Wed, 1 Mar 2023 19:41:56 +0100
Subject: [PATCH 1/3] cmd/root: Sprinkle a debug log
https://github.com/containers/toolbox/pull/1251
---
src/cmd/root.go | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/cmd/root.go b/src/cmd/root.go
index 304b03dcd889..82fbfd651c33 100644
--- a/src/cmd/root.go
+++ b/src/cmd/root.go
@@ -215,6 +215,7 @@ func migrate() error {
logrus.Debug("Migrating to newer Podman")
if utils.IsInsideContainer() {
+ logrus.Debug("Migration not needed: running inside a container")
return nil
}
--
2.39.2
From 0beab62c935cd1166d6b03f58c519bbc7b040221 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <rishi@fedoraproject.org>
Date: Wed, 1 Mar 2023 19:46:11 +0100
Subject: [PATCH 2/3] cmd/root: Shuffle some code around and sprinkle some
debug logs
Having a separate convenience function reduces the indentation levels by
at least one, and sometimes two, and makes it easy to have more detailed
debug logs.
This will make the subsequent commit easier to read.
https://github.com/containers/toolbox/issues/1246
---
src/cmd/root.go | 32 ++++++++++++++++++++++++--------
1 file changed, 24 insertions(+), 8 deletions(-)
diff --git a/src/cmd/root.go b/src/cmd/root.go
index 82fbfd651c33..4c740ec60d38 100644
--- a/src/cmd/root.go
+++ b/src/cmd/root.go
@@ -1,5 +1,5 @@
/*
- * Copyright © 2019 2022 Red Hat Inc.
+ * Copyright © 2019 2023 Red Hat Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -139,13 +139,8 @@ func preRun(cmd *cobra.Command, args []string) error {
if !utils.IsInsideContainer() {
logrus.Debugf("Running on a cgroups v%d host", cgroupsVersion)
- if currentUser.Uid != "0" {
- logrus.Debugf("Looking for sub-GID and sub-UID ranges for user %s", currentUser.Username)
-
- if _, err := utils.ValidateSubIDRanges(currentUser); err != nil {
- logrus.Debugf("Looking for sub-GID and sub-UID ranges: %s", err)
- return newSubIDError()
- }
+ if _, err := validateSubIDRanges(cmd, args, currentUser); err != nil {
+ return err
}
}
@@ -387,3 +382,24 @@ func setUpLoggers() error {
return nil
}
+
+func validateSubIDRanges(cmd *cobra.Command, args []string, user *user.User) (bool, error) {
+ logrus.Debugf("Looking for sub-GID and sub-UID ranges for user %s", user.Username)
+
+ if user.Uid == "0" {
+ logrus.Debugf("Look-up not needed: user %s doesn't need them", user.Username)
+ return true, nil
+ }
+
+ if utils.IsInsideContainer() {
+ logrus.Debug("Look-up not needed: running inside a container")
+ return true, nil
+ }
+
+ if _, err := utils.ValidateSubIDRanges(user); err != nil {
+ logrus.Debugf("Looking for sub-GID and sub-UID ranges: %s", err)
+ return false, newSubIDError()
+ }
+
+ return true, nil
+}
--
2.39.2
From d09c9cd1de41b6e85a6953902c9982778a423f3c Mon Sep 17 00:00:00 2001
From: Jan Zerebecki <jan.suse@zerebecki.de>
Date: Wed, 1 Mar 2023 19:52:28 +0100
Subject: [PATCH 3/3] cmd/root: Don't validate subordinate IDs when generating
the completions
Ever since commit bafbbe81c9220cb3, the shell completions are generated
while building Toolbx using the 'completion' command. This involves
running toolbox(1) itself, and hence validating the subordinate user and
group ID ranges.
Unfortunately, some build environments, like openSUSE's, don't have
subordinate ID ranges set up. Therefore, it's better to not validate
the subordinate ID ranges when generating the shell completions, since
they are generated by Cobra itself and subordinate ID ranges are not
involved at all.
Note that subordinate ID ranges may be needed when the generated shell
completions are actually used in interactive command line environments.
The shell completions invoke the hidden '__complete' command to get the
results that are presented to the user, and, if needed, the subordinate
ID ranges will continue to be used by podman(1) as part of that.
Some changes by Debarshi Ray.
https://github.com/containers/toolbox/issues/1246
https://github.com/containers/toolbox/pull/1249
---
src/cmd/root.go | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/cmd/root.go b/src/cmd/root.go
index 4c740ec60d38..efee8ce9990b 100644
--- a/src/cmd/root.go
+++ b/src/cmd/root.go
@@ -396,6 +396,11 @@ func validateSubIDRanges(cmd *cobra.Command, args []string, user *user.User) (bo
return true, nil
}
+ if cmdName, completionCmdName := cmd.Name(), completionCmd.Name(); cmdName == completionCmdName {
+ logrus.Debugf("Look-up not needed: command %s doesn't need them", cmdName)
+ return true, nil
+ }
+
if _, err := utils.ValidateSubIDRanges(user); err != nil {
logrus.Debugf("Looking for sub-GID and sub-UID ranges: %s", err)
return false, newSubIDError()
--
2.39.2
Reference in New Issue Copy Permalink