From 25bf8a31620038c270e848b01c2b87ffa91665b1 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Mon, 2 Oct 2023 18:40:00 +0200 Subject: [PATCH] Revert "Simplify removing the user's password" This wasn't meant for RHEL 8.10. This reverts commit ccb85304e31f4610ea0ae1ab5c765ed42246fbcb. Resolves: RHEL-2038 --- ...ation-paths-for-coreos-toolbox-users.patch | 8 +- ...implify-removing-the-user-s-password.patch | 1056 ----------------- ...r-Be-aware-of-security-hardened-moun.patch | 4 +- toolbox.spec | 8 +- 4 files changed, 7 insertions(+), 1069 deletions(-) delete mode 100644 toolbox-Simplify-removing-the-user-s-password.patch diff --git a/toolbox-Add-migration-paths-for-coreos-toolbox-users.patch b/toolbox-Add-migration-paths-for-coreos-toolbox-users.patch index 31a301f..88003a3 100644 --- a/toolbox-Add-migration-paths-for-coreos-toolbox-users.patch +++ b/toolbox-Add-migration-paths-for-coreos-toolbox-users.patch @@ -1,4 +1,4 @@ -From 4b60bfc74678f8d5fb779be5c0fc0bc8e892d247 Mon Sep 17 00:00:00 2001 +From d461caa5b1a278124d039df93140d2d5bf4eabe7 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Wed, 18 Aug 2021 17:55:21 +0200 Subject: [PATCH 1/2] cmd/run: Make sosreport work by setting the HOST @@ -22,10 +22,10 @@ index 7657ffa50821..23d422623b14 100644 "--preserve-fds", preserveFDs, }...) -- -2.41.0 +2.39.2 -From 4ae3f7afc777dce2fe3b03198e0987507c049258 Mon Sep 17 00:00:00 2001 +From 3c2c67752e8f88f72058799cbce3612fc937b230 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Fri, 10 Dec 2021 13:42:15 +0100 Subject: [PATCH 2/2] test/system: Update to test the migration path for @@ -97,5 +97,5 @@ index 000000000000..32d87904213e + skip "Testing of entering toolboxes is not implemented" +} -- -2.41.0 +2.39.2 diff --git a/toolbox-Simplify-removing-the-user-s-password.patch b/toolbox-Simplify-removing-the-user-s-password.patch deleted file mode 100644 index d10d870..0000000 --- a/toolbox-Simplify-removing-the-user-s-password.patch +++ /dev/null @@ -1,1056 +0,0 @@ -From 07d5c061eacec0a3b145947a9b95a11b705ea5d3 Mon Sep 17 00:00:00 2001 -From: Debarshi Ray -Date: Sat, 12 Aug 2023 14:26:22 +0200 -Subject: [PATCH 1/5] test/system: Test that group and user IDs work - -These tests assume that the group and user information on the host -operating system can be provided by different plugins for the GNU Name -Service Switch (or NSS) functionality of the GNU C Library. eg., on -enterprise FreeIPA set-ups. However, it's expected that everything -inside the Toolbx container will be provided by /etc/group, /etc/passwd, -/etc/shadow, etc.. - -While /etc/group and /etc/passwd can be read by any user, /etc/shadow -can only be read by root. However, it's awkward to use sudo(8) in the -test cases involving /etc/shadow, because they ensure that root and -$USER don't need passwords to authenticate inside the container, and -sudo(8) itself depends on that. If sudo(8) is used, the test suite can -behave unexpectedly if Toolbx didn't set up the container correctly. -eg., it can get blocked waiting for a password. - -Hence, 'podman unshare' is used instead to enter the container's initial -user namespace, where $USER from the host appears as root. This is -sufficient because the test cases only need to read /etc/shadow inside -the Toolbx container. - -https://github.com/containers/toolbox/pull/1355 ---- - test/system/206-user.bats | 520 ++++++++++++++++++++++++++++++++++++++ - 1 file changed, 520 insertions(+) - create mode 100644 test/system/206-user.bats - -diff --git a/test/system/206-user.bats b/test/system/206-user.bats -new file mode 100644 -index 000000000000..fdb2a33da88c ---- /dev/null -+++ b/test/system/206-user.bats -@@ -0,0 +1,520 @@ -+# shellcheck shell=bats -+# -+# Copyright © 2023 Red Hat, Inc. -+# -+# Licensed under the Apache License, Version 2.0 (the "License"); -+# you may not use this file except in compliance with the License. -+# You may obtain a copy of the License at -+# -+# http://www.apache.org/licenses/LICENSE-2.0 -+# -+# Unless required by applicable law or agreed to in writing, software -+# distributed under the License is distributed on an "AS IS" BASIS, -+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+# See the License for the specific language governing permissions and -+# limitations under the License. -+# -+ -+load 'libs/bats-support/load' -+load 'libs/bats-assert/load' -+load 'libs/helpers' -+ -+setup() { -+ bats_require_minimum_version 1.7.0 -+ _setup_environment -+ cleanup_containers -+} -+ -+teardown() { -+ cleanup_containers -+} -+ -+@test "user: separate namespace" { -+ local ns_host -+ ns_host=$(readlink /proc/$$/ns/user) -+ -+ create_default_container -+ -+ run --keep-empty-lines --separate-stderr "$TOOLBOX" run sh -c 'readlink /proc/$$/ns/user' -+ -+ assert_success -+ assert_line --index 0 --regexp '^user:\[[[:digit:]]+\]$' -+ refute_line --index 0 "$ns_host" -+ -+ if check_bats_version 1.10.0; then -+ assert [ ${#lines[@]} -eq 1 ] -+ else -+ assert [ ${#lines[@]} -eq 2 ] -+ fi -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: root in shadow(5) inside the default container" { -+ local default_container -+ default_container="$(get_system_id)-toolbox-$(get_system_version)" -+ -+ create_default_container -+ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount "$default_container")" -+ -+ "$TOOLBOX" run true -+ -+ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" -+ "$PODMAN" unshare "$PODMAN" unmount "$default_container" -+ -+ assert_success -+ assert_line --regexp '^root::.+$' -+ assert [ ${#lines[@]} -gt 0 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: root in shadow(5) inside Arch Linux" { -+ create_distro_container arch latest arch-toolbox-latest -+ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount arch-toolbox-latest)" -+ -+ "$TOOLBOX" run --distro arch true -+ -+ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" -+ "$PODMAN" unshare "$PODMAN" unmount arch-toolbox-latest -+ -+ assert_success -+ assert_line --regexp '^root::.+$' -+ assert [ ${#lines[@]} -gt 0 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: root in shadow(5) inside Fedora 34" { -+ create_distro_container fedora 34 fedora-toolbox-34 -+ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount fedora-toolbox-34)" -+ -+ "$TOOLBOX" run --distro fedora --release 34 true -+ -+ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" -+ "$PODMAN" unshare "$PODMAN" unmount fedora-toolbox-34 -+ -+ assert_success -+ assert_line --regexp '^root::.+$' -+ assert [ ${#lines[@]} -gt 0 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: root in shadow(5) inside RHEL 8.7" { -+ create_distro_container rhel 8.7 rhel-toolbox-8.7 -+ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount rhel-toolbox-8.7)" -+ -+ "$TOOLBOX" run --distro rhel --release 8.7 true -+ -+ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" -+ "$PODMAN" unshare "$PODMAN" unmount rhel-toolbox-8.7 -+ -+ assert_success -+ assert_line --regexp '^root::.+$' -+ assert [ ${#lines[@]} -gt 0 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: root in shadow(5) inside Ubuntu 16.04" { -+ create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04 -+ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount ubuntu-toolbox-16.04)" -+ -+ "$TOOLBOX" run --distro ubuntu --release 16.04 true -+ -+ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" -+ "$PODMAN" unshare "$PODMAN" unmount ubuntu-toolbox-16.04 -+ -+ assert_success -+ assert_line --regexp '^root::.+$' -+ assert [ ${#lines[@]} -gt 0 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: root in shadow(5) inside Ubuntu 18.04" { -+ create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04 -+ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount ubuntu-toolbox-18.04)" -+ -+ "$TOOLBOX" run --distro ubuntu --release 18.04 true -+ -+ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" -+ "$PODMAN" unshare "$PODMAN" unmount ubuntu-toolbox-18.04 -+ -+ assert_success -+ assert_line --regexp '^root::.+$' -+ assert [ ${#lines[@]} -gt 0 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: root in shadow(5) inside Ubuntu 20.04" { -+ create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04 -+ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount ubuntu-toolbox-20.04)" -+ -+ "$TOOLBOX" run --distro ubuntu --release 20.04 true -+ -+ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" -+ "$PODMAN" unshare "$PODMAN" unmount ubuntu-toolbox-20.04 -+ -+ assert_success -+ assert_line --regexp '^root::.+$' -+ assert [ ${#lines[@]} -gt 0 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: $USER in passwd(5) inside the default container" { -+ local user_gecos -+ user_gecos="$(getent passwd "$USER" | cut --delimiter : --fields 5)" -+ -+ local user_id_real -+ user_id_real="$(id --real --user)" -+ -+ create_default_container -+ -+ run --keep-empty-lines --separate-stderr "$TOOLBOX" run sh -c 'cat /etc/passwd' -+ -+ assert_success -+ assert_line --regexp "^$USER::$user_id_real:$user_id_real:$user_gecos:$HOME:$SHELL$" -+ assert [ ${#lines[@]} -gt 1 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: $USER in passwd(5) inside Arch Linux" { -+ local user_gecos -+ user_gecos="$(getent passwd "$USER" | cut --delimiter : --fields 5)" -+ -+ local user_id_real -+ user_id_real="$(id --real --user)" -+ -+ create_distro_container arch latest arch-toolbox-latest -+ -+ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro arch sh -c 'cat /etc/passwd' -+ -+ assert_success -+ assert_line --regexp "^$USER::$user_id_real:$user_id_real:$user_gecos:$HOME:$SHELL$" -+ assert [ ${#lines[@]} -gt 1 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: $USER in passwd(5) inside Fedora 34" { -+ local user_gecos -+ user_gecos="$(getent passwd "$USER" | cut --delimiter : --fields 5)" -+ -+ local user_id_real -+ user_id_real="$(id --real --user)" -+ -+ create_distro_container fedora 34 fedora-toolbox-34 -+ -+ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro fedora --release 34 sh -c 'cat /etc/passwd' -+ -+ assert_success -+ assert_line --regexp "^$USER::$user_id_real:$user_id_real:$user_gecos:$HOME:$SHELL$" -+ assert [ ${#lines[@]} -gt 1 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: $USER in passwd(5) inside RHEL 8.7" { -+ local user_gecos -+ user_gecos="$(getent passwd "$USER" | cut --delimiter : --fields 5)" -+ -+ local user_id_real -+ user_id_real="$(id --real --user)" -+ -+ create_distro_container rhel 8.7 rhel-toolbox-8.7 -+ -+ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro rhel --release 8.7 sh -c 'cat /etc/passwd' -+ -+ assert_success -+ assert_line --regexp "^$USER::$user_id_real:$user_id_real:$user_gecos:$HOME:$SHELL$" -+ assert [ ${#lines[@]} -gt 1 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: $USER in passwd(5) inside Ubuntu 16.04" { -+ local user_gecos -+ user_gecos="$(getent passwd "$USER" | cut --delimiter : --fields 5)" -+ -+ local user_id_real -+ user_id_real="$(id --real --user)" -+ -+ create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04 -+ -+ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro ubuntu --release 16.04 sh -c 'cat /etc/passwd' -+ -+ assert_success -+ assert_line --regexp "^$USER::$user_id_real:$user_id_real:$user_gecos:$HOME:$SHELL$" -+ assert [ ${#lines[@]} -gt 1 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: $USER in passwd(5) inside Ubuntu 18.04" { -+ local user_gecos -+ user_gecos="$(getent passwd "$USER" | cut --delimiter : --fields 5)" -+ -+ local user_id_real -+ user_id_real="$(id --real --user)" -+ -+ create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04 -+ -+ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro ubuntu --release 18.04 sh -c 'cat /etc/passwd' -+ -+ assert_success -+ assert_line --regexp "^$USER::$user_id_real:$user_id_real:$user_gecos:$HOME:$SHELL$" -+ assert [ ${#lines[@]} -gt 1 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: $USER in passwd(5) inside Ubuntu 20.04" { -+ local user_gecos -+ user_gecos="$(getent passwd "$USER" | cut --delimiter : --fields 5)" -+ -+ local user_id_real -+ user_id_real="$(id --real --user)" -+ -+ create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04 -+ -+ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro ubuntu --release 20.04 sh -c 'cat /etc/passwd' -+ -+ assert_success -+ assert_line --regexp "^$USER::$user_id_real:$user_id_real:$user_gecos:$HOME:$SHELL$" -+ assert [ ${#lines[@]} -gt 1 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: $USER in shadow(5) inside the default container" { -+ local default_container -+ default_container="$(get_system_id)-toolbox-$(get_system_version)" -+ -+ create_default_container -+ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount "$default_container")" -+ -+ "$TOOLBOX" run true -+ -+ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" -+ "$PODMAN" unshare "$PODMAN" unmount "$default_container" -+ -+ assert_success -+ refute_line --regexp "^$USER:.*$" -+ assert [ ${#lines[@]} -gt 0 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: $USER in shadow(5) inside Arch Linux" { -+ create_distro_container arch latest arch-toolbox-latest -+ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount arch-toolbox-latest)" -+ -+ "$TOOLBOX" run --distro arch true -+ -+ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" -+ "$PODMAN" unshare "$PODMAN" unmount arch-toolbox-latest -+ -+ assert_success -+ refute_line --regexp "^$USER:.*$" -+ assert [ ${#lines[@]} -gt 0 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: $USER in shadow(5) inside Fedora 34" { -+ create_distro_container fedora 34 fedora-toolbox-34 -+ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount fedora-toolbox-34)" -+ -+ "$TOOLBOX" run --distro fedora --release 34 true -+ -+ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" -+ "$PODMAN" unshare "$PODMAN" unmount fedora-toolbox-34 -+ -+ assert_success -+ refute_line --regexp "^$USER:.*$" -+ assert [ ${#lines[@]} -gt 0 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: $USER in shadow(5) inside RHEL 8.7" { -+ create_distro_container rhel 8.7 rhel-toolbox-8.7 -+ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount rhel-toolbox-8.7)" -+ -+ "$TOOLBOX" run --distro rhel --release 8.7 true -+ -+ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" -+ "$PODMAN" unshare "$PODMAN" unmount rhel-toolbox-8.7 -+ -+ assert_success -+ refute_line --regexp "^$USER:.*$" -+ assert [ ${#lines[@]} -gt 0 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: $USER in shadow(5) inside Ubuntu 16.04" { -+ create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04 -+ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount ubuntu-toolbox-16.04)" -+ -+ "$TOOLBOX" run --distro ubuntu --release 16.04 true -+ -+ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" -+ "$PODMAN" unshare "$PODMAN" unmount ubuntu-toolbox-16.04 -+ -+ assert_success -+ refute_line --regexp "^$USER:.*$" -+ assert [ ${#lines[@]} -gt 0 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: $USER in shadow(5) inside Ubuntu 18.04" { -+ create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04 -+ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount ubuntu-toolbox-18.04)" -+ -+ "$TOOLBOX" run --distro ubuntu --release 18.04 true -+ -+ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" -+ "$PODMAN" unshare "$PODMAN" unmount ubuntu-toolbox-18.04 -+ -+ assert_success -+ refute_line --regexp "^$USER:.*$" -+ assert [ ${#lines[@]} -gt 0 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: $USER in shadow(5) inside Ubuntu 20.04" { -+ create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04 -+ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount ubuntu-toolbox-20.04)" -+ -+ "$TOOLBOX" run --distro ubuntu --release 20.04 true -+ -+ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" -+ "$PODMAN" unshare "$PODMAN" unmount ubuntu-toolbox-20.04 -+ -+ assert_success -+ refute_line --regexp "^$USER:.*$" -+ assert [ ${#lines[@]} -gt 0 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: $USER in group(5) inside the default container" { -+ create_default_container -+ -+ run --keep-empty-lines --separate-stderr "$TOOLBOX" run sh -c 'cat /etc/group' -+ -+ assert_success -+ assert_line --regexp "^(sudo|wheel):x:[[:digit:]]+:$USER$" -+ assert [ ${#lines[@]} -gt 1 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: $USER in group(5) inside Arch Linux" { -+ create_distro_container arch latest arch-toolbox-latest -+ -+ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro arch sh -c 'cat /etc/group' -+ -+ assert_success -+ assert_line --regexp "^wheel:x:[[:digit:]]+:$USER$" -+ assert [ ${#lines[@]} -gt 1 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: $USER in group(5) inside Fedora 34" { -+ create_distro_container fedora 34 fedora-toolbox-34 -+ -+ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro fedora --release 34 sh -c 'cat /etc/group' -+ -+ assert_success -+ assert_line --regexp "^wheel:x:[[:digit:]]+:$USER$" -+ assert [ ${#lines[@]} -gt 1 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: $USER in group(5) inside RHEL 8.7" { -+ create_distro_container rhel 8.7 rhel-toolbox-8.7 -+ -+ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro rhel --release 8.7 sh -c 'cat /etc/group' -+ -+ assert_success -+ assert_line --regexp "^wheel:x:[[:digit:]]+:$USER$" -+ assert [ ${#lines[@]} -gt 1 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: $USER in group(5) inside Ubuntu 16.04" { -+ create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04 -+ -+ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro ubuntu --release 16.04 sh -c 'cat /etc/group' -+ -+ assert_success -+ assert_line --regexp "^sudo:x:[[:digit:]]+:$USER$" -+ assert [ ${#lines[@]} -gt 1 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: $USER in group(5) inside Ubuntu 18.04" { -+ create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04 -+ -+ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro ubuntu --release 18.04 sh -c 'cat /etc/group' -+ -+ assert_success -+ assert_line --regexp "^sudo:x:[[:digit:]]+:$USER$" -+ assert [ ${#lines[@]} -gt 1 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} -+ -+@test "user: $USER in group(5) inside Ubuntu 20.04" { -+ create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04 -+ -+ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro ubuntu --release 20.04 sh -c 'cat /etc/group' -+ -+ assert_success -+ assert_line --regexp "^sudo:x:[[:digit:]]+:$USER$" -+ assert [ ${#lines[@]} -gt 1 ] -+ -+ # shellcheck disable=SC2154 -+ assert [ ${#stderr_lines[@]} -eq 0 ] -+} --- -2.41.0 - - -From 22ba72f3152650d538437bf298ebde4a63e2adc9 Mon Sep 17 00:00:00 2001 -From: Debarshi Ray -Date: Wed, 4 Nov 2020 00:55:31 +0100 -Subject: [PATCH 2/5] Deprecate the --monitor-host option of 'init-container' - -The --monitor-host option was added to the 'init-container' command in -commit 8b84b5e4604921fa to accommodate Podman versions older than 1.2.0 -that didn't have the '--dns none' and '--no-hosts' options for -'podman create'. These options are necessary to keep the Toolbx -container's /etc/resolv.conf and /etc/hosts files synchronized with -those of the host. - -Note that Podman 1.2.0 was already available a few months before -commit 8b84b5e4604921fa introduced the --monitor-host option. The -chances of someone using an older Podman back then was already on the -decline, and it's very unlikely that a container created with such a -Podman has survived till this date. - -Commit b6b484fa792b442a raised the minimum required Podman version to -1.4.0, and made the '--dns none' and '--no-hosts' options a hard -requirement. The minimum required Podman version was again raised -recently in commit 8e80dd5db1e6f40b to 1.6.4. Therefore, these days, -there's no need to separately use the --monitor-host option of -'init-container' for newly created containers to indicate that the -Podman version wasn't older than 1.2.0. - -Given all this, it's time to stop using the --monitor-host option of -'init-container', and assume that it's always set. The option is still -accepted to retain compatibility with existing Toolbx containers. - -For containers that were created with the --monitor-host option, a -deprecation notice will be shown as: - $ podman start --attach CONTAINER - Flag --monitor-host has been deprecated, it does nothing - ... - -https://github.com/containers/toolbox/pull/617 ---- - doc/toolbox-init-container.1.md | 32 +++--------- - src/cmd/create.go | 1 - - src/cmd/initContainer.go | 86 ++++++++++++++++----------------- - 3 files changed, 49 insertions(+), 70 deletions(-) - -diff --git a/doc/toolbox-init-container.1.md b/doc/toolbox-init-container.1.md -index 45c9a77939f2..51a7b1ee643d 100644 ---- a/doc/toolbox-init-container.1.md -+++ b/doc/toolbox-init-container.1.md -@@ -9,7 +9,6 @@ toolbox\-init\-container - Initialize a running container - *--home-link* - *--media-link* - *--mnt-link* -- *--monitor-host* - *--shell SHELL* - *--uid UID* - *--user USER* -@@ -76,31 +75,12 @@ Make `/mnt` a symbolic link to `/var/mnt`. - - **--monitor-host** - --Ensures that certain configuration files inside the toolbox container are kept --synchronized with their counterparts on the host, and bind mounts some paths --from the host's file system into the container. -- --The synchronized files are: -- --- `/etc/host.conf` --- `/etc/hosts` --- `/etc/localtime` --- `/etc/resolv.conf` --- `/etc/timezone` -- --The bind mounted paths are: -- --- `/etc/machine-id` --- `/run/libvirt` --- `/run/systemd/journal` --- `/run/systemd/resolve` --- `/run/udev/data` --- `/tmp` --- `/var/lib/flatpak` --- `/var/lib/libvirt` --- `/var/lib/systemd/coredump` --- `/var/log/journal` --- `/var/mnt` -+Deprecated, does nothing. -+ -+Crucial configuration files inside the toolbox container are always kept -+synchronized with their counterparts on the host, and various subsets of the -+host's file system hierarchy are always bind mounted to their corresponding -+locations inside the toolbox container. - - **--shell** SHELL - -diff --git a/src/cmd/create.go b/src/cmd/create.go -index 2a103f01ed2d..6cec99258847 100644 ---- a/src/cmd/create.go -+++ b/src/cmd/create.go -@@ -393,7 +393,6 @@ func createContainer(container, image, release, authFile string, showCommandToEn - "--shell", userShell, - "--uid", currentUser.Uid, - "--user", currentUser.Username, -- "--monitor-host", - } - - entryPoint = append(entryPoint, slashHomeLink...) -diff --git a/src/cmd/initContainer.go b/src/cmd/initContainer.go -index c4cd1b02d298..cb132bffc817 100644 ---- a/src/cmd/initContainer.go -+++ b/src/cmd/initContainer.go -@@ -107,8 +107,12 @@ func init() { - - flags.BoolVar(&initContainerFlags.monitorHost, - "monitor-host", -- false, -- "Ensure that certain configuration files inside the toolbox container are in sync with the host") -+ true, -+ "Deprecated, does nothing") -+ if err := flags.MarkDeprecated("monitor-host", "it does nothing"); err != nil { -+ panicMsg := fmt.Sprintf("cannot mark --monitor-host as deprecated: %s", err) -+ panic(panicMsg) -+ } - - flags.StringVar(&initContainerFlags.shell, - "shell", -@@ -163,59 +167,55 @@ func initContainer(cmd *cobra.Command, args []string) error { - - defer toolboxEnvFile.Close() - -- if initContainerFlags.monitorHost { -- logrus.Debug("Monitoring host") -- -- if utils.PathExists("/run/host/etc") { -- logrus.Debug("Path /run/host/etc exists") -- -- if _, err := os.Readlink("/etc/host.conf"); err != nil { -- if err := redirectPath("/etc/host.conf", -- "/run/host/etc/host.conf", -- false); err != nil { -- return err -- } -- } -+ if utils.PathExists("/run/host/etc") { -+ logrus.Debug("Path /run/host/etc exists") - -- if _, err := os.Readlink("/etc/hosts"); err != nil { -- if err := redirectPath("/etc/hosts", -- "/run/host/etc/hosts", -- false); err != nil { -- return err -- } -+ if _, err := os.Readlink("/etc/host.conf"); err != nil { -+ if err := redirectPath("/etc/host.conf", -+ "/run/host/etc/host.conf", -+ false); err != nil { -+ return err - } -+ } - -- if localtimeTarget, err := os.Readlink("/etc/localtime"); err != nil || -- localtimeTarget != "/run/host/etc/localtime" { -- if err := redirectPath("/etc/localtime", -- "/run/host/etc/localtime", -- false); err != nil { -- return err -- } -+ if _, err := os.Readlink("/etc/hosts"); err != nil { -+ if err := redirectPath("/etc/hosts", -+ "/run/host/etc/hosts", -+ false); err != nil { -+ return err - } -+ } - -- if err := updateTimeZoneFromLocalTime(); err != nil { -+ if localtimeTarget, err := os.Readlink("/etc/localtime"); err != nil || -+ localtimeTarget != "/run/host/etc/localtime" { -+ if err := redirectPath("/etc/localtime", -+ "/run/host/etc/localtime", -+ false); err != nil { - return err - } -+ } -+ -+ if err := updateTimeZoneFromLocalTime(); err != nil { -+ return err -+ } - -- if _, err := os.Readlink("/etc/resolv.conf"); err != nil { -- if err := redirectPath("/etc/resolv.conf", -- "/run/host/etc/resolv.conf", -- false); err != nil { -- return err -- } -+ if _, err := os.Readlink("/etc/resolv.conf"); err != nil { -+ if err := redirectPath("/etc/resolv.conf", -+ "/run/host/etc/resolv.conf", -+ false); err != nil { -+ return err - } -+ } - -- for _, mount := range initContainerMounts { -- if err := mountBind(mount.containerPath, mount.source, mount.flags); err != nil { -- return err -- } -+ for _, mount := range initContainerMounts { -+ if err := mountBind(mount.containerPath, mount.source, mount.flags); err != nil { -+ return err - } -+ } - -- if utils.PathExists("/sys/fs/selinux") { -- if err := mountBind("/sys/fs/selinux", "/usr/share/empty", ""); err != nil { -- return err -- } -+ if utils.PathExists("/sys/fs/selinux") { -+ if err := mountBind("/sys/fs/selinux", "/usr/share/empty", ""); err != nil { -+ return err - } - } - } --- -2.41.0 - - -From 66a791ff10234023b858b7a28dd98985b054eca1 Mon Sep 17 00:00:00 2001 -From: Debarshi Ray -Date: Tue, 7 Mar 2023 16:13:04 +0100 -Subject: [PATCH 3/5] cmd/initContainer: Bind mount locations regardless of - /run/host/etc - -Bind mounting the locations at runtime doesn't really have anything to -do with whether /run/host/etc is present inside the Toolbx container. - -The only possible exception could have been /etc/machine-id, but it -isn't, because the bind mount is only performed if the source at -/run/host/etc/machine-id is present. - -This is a historical mistake that has persisted for a long time, since, -in practice, /run/host/etc will almost always exist inside the Toolbx -container. It's time to finally correct it. - -Fallout from 9436bbece01d7aa4dc91b4013ed9f80d0b8d34f4 - -https://github.com/containers/toolbox/pull/1255 ---- - src/cmd/initContainer.go | 24 ++++++++++++------------ - 1 file changed, 12 insertions(+), 12 deletions(-) - -diff --git a/src/cmd/initContainer.go b/src/cmd/initContainer.go -index cb132bffc817..153e5ccb824e 100644 ---- a/src/cmd/initContainer.go -+++ b/src/cmd/initContainer.go -@@ -206,18 +206,6 @@ func initContainer(cmd *cobra.Command, args []string) error { - return err - } - } -- -- for _, mount := range initContainerMounts { -- if err := mountBind(mount.containerPath, mount.source, mount.flags); err != nil { -- return err -- } -- } -- -- if utils.PathExists("/sys/fs/selinux") { -- if err := mountBind("/sys/fs/selinux", "/usr/share/empty", ""); err != nil { -- return err -- } -- } - } - - if initContainerFlags.mediaLink { -@@ -236,6 +224,18 @@ func initContainer(cmd *cobra.Command, args []string) error { - } - } - -+ for _, mount := range initContainerMounts { -+ if err := mountBind(mount.containerPath, mount.source, mount.flags); err != nil { -+ return err -+ } -+ } -+ -+ if utils.PathExists("/sys/fs/selinux") { -+ if err := mountBind("/sys/fs/selinux", "/usr/share/empty", ""); err != nil { -+ return err -+ } -+ } -+ - if _, err := user.Lookup(initContainerFlags.user); err != nil { - if err := configureUsers(initContainerFlags.uid, - initContainerFlags.user, --- -2.41.0 - - -From d416f1b4abd0782526c011b078442856c733e718 Mon Sep 17 00:00:00 2001 -From: Debarshi Ray -Date: Tue, 15 Aug 2023 20:57:46 +0200 -Subject: [PATCH 4/5] cmd/initContainer: Simplify code by removing a function - parameter - -Until now, configureUsers() was pushing the burden of deciding whether -to add a new user or modify an existing one on the callers, even though -it can trivially decide itself. Involving the caller loosens the -encapsulation of the user configuration logic by spreading it across -configureUsers() and it's caller, and adds an extra function parameter -that needs to be carefully set and is vulnerable to programmer errors. - -Fallout from 9ea6fe5852ea8f5225114d825e8e6813e2a3cfea - -https://github.com/containers/toolbox/pull/1356 ---- - src/cmd/initContainer.go | 62 ++++++++++++++++------------------------ - 1 file changed, 24 insertions(+), 38 deletions(-) - -diff --git a/src/cmd/initContainer.go b/src/cmd/initContainer.go -index 153e5ccb824e..02c389635378 100644 ---- a/src/cmd/initContainer.go -+++ b/src/cmd/initContainer.go -@@ -236,24 +236,12 @@ func initContainer(cmd *cobra.Command, args []string) error { - } - } - -- if _, err := user.Lookup(initContainerFlags.user); err != nil { -- if err := configureUsers(initContainerFlags.uid, -- initContainerFlags.user, -- initContainerFlags.home, -- initContainerFlags.shell, -- initContainerFlags.homeLink, -- false); err != nil { -- return err -- } -- } else { -- if err := configureUsers(initContainerFlags.uid, -- initContainerFlags.user, -- initContainerFlags.home, -- initContainerFlags.shell, -- initContainerFlags.homeLink, -- true); err != nil { -- return err -- } -+ if err := configureUsers(initContainerFlags.uid, -+ initContainerFlags.user, -+ initContainerFlags.home, -+ initContainerFlags.shell, -+ initContainerFlags.homeLink); err != nil { -+ return err - } - - if utils.PathExists("/etc/krb5.conf.d") && !utils.PathExists("/etc/krb5.conf.d/kcm_default_ccache") { -@@ -386,9 +374,7 @@ func initContainerHelp(cmd *cobra.Command, args []string) { - } - } - --func configureUsers(targetUserUid int, -- targetUser, targetUserHome, targetUserShell string, -- homeLink, targetUserExists bool) error { -+func configureUsers(targetUserUid int, targetUser, targetUserHome, targetUserShell string, homeLink bool) error { - if homeLink { - if err := redirectPath("/home", "/var/home", true); err != nil { - return err -@@ -400,45 +386,45 @@ func configureUsers(targetUserUid int, - return fmt.Errorf("failed to get group for sudo: %w", err) - } - -- if targetUserExists { -- logrus.Debugf("Modifying user %s with UID %d:", targetUser, targetUserUid) -+ if _, err := user.Lookup(targetUser); err != nil { -+ logrus.Debugf("Adding user %s with UID %d:", targetUser, targetUserUid) - -- usermodArgs := []string{ -- "--append", -+ useraddArgs := []string{ - "--groups", sudoGroup, -- "--home", targetUserHome, -+ "--home-dir", targetUserHome, -+ "--no-create-home", - "--shell", targetUserShell, - "--uid", fmt.Sprint(targetUserUid), - targetUser, - } - -- logrus.Debug("usermod") -- for _, arg := range usermodArgs { -+ logrus.Debug("useradd") -+ for _, arg := range useraddArgs { - logrus.Debugf("%s", arg) - } - -- if err := shell.Run("usermod", nil, nil, nil, usermodArgs...); err != nil { -- return fmt.Errorf("failed to modify user %s with UID %d: %w", targetUser, targetUserUid, err) -+ if err := shell.Run("useradd", nil, nil, nil, useraddArgs...); err != nil { -+ return fmt.Errorf("failed to add user %s with UID %d: %w", targetUser, targetUserUid, err) - } - } else { -- logrus.Debugf("Adding user %s with UID %d:", targetUser, targetUserUid) -+ logrus.Debugf("Modifying user %s with UID %d:", targetUser, targetUserUid) - -- useraddArgs := []string{ -+ usermodArgs := []string{ -+ "--append", - "--groups", sudoGroup, -- "--home-dir", targetUserHome, -- "--no-create-home", -+ "--home", targetUserHome, - "--shell", targetUserShell, - "--uid", fmt.Sprint(targetUserUid), - targetUser, - } - -- logrus.Debug("useradd") -- for _, arg := range useraddArgs { -+ logrus.Debug("usermod") -+ for _, arg := range usermodArgs { - logrus.Debugf("%s", arg) - } - -- if err := shell.Run("useradd", nil, nil, nil, useraddArgs...); err != nil { -- return fmt.Errorf("failed to add user %s with UID %d: %w", targetUser, targetUserUid, err) -+ if err := shell.Run("usermod", nil, nil, nil, usermodArgs...); err != nil { -+ return fmt.Errorf("failed to modify user %s with UID %d: %w", targetUser, targetUserUid, err) - } - } - --- -2.41.0 - - -From e673dc792438c64683237d26b21d005ffb008fd5 Mon Sep 17 00:00:00 2001 -From: Debarshi Ray -Date: Tue, 22 Aug 2023 23:29:43 +0200 -Subject: [PATCH 5/5] cmd/initContainer: Simplify removing the user's password - -It's one less invocation of an external command, which is good because -spawning a new process is generally expensive. - -One positive side-effect of this is that on some Active Directory -set-ups, the entry point no longer fails with: - Error: failed to remove password for user login@company.com: failed - to invoke passwd(1) - -... because of: - # passwd --delete login@company.com - passwd: Libuser error at line: 210 - name contains invalid char `@'. - -This is purely an accident, and isn't meant to be an intential change to -support Active Directory. Tools like useradd(8) and usermod(8) from -Shadow aren't meant to work with Active Directory users, and, hence, it -can still break in other ways. For that, one option is to expose $USER -from the host operating system to the Toolbx container through a Varlink -interface that can be used by nss-systemd inside the container. - -Based on an idea from Si. - -https://github.com/containers/toolbox/issues/585 ---- - src/cmd/initContainer.go | 8 ++------ - 1 file changed, 2 insertions(+), 6 deletions(-) - -diff --git a/src/cmd/initContainer.go b/src/cmd/initContainer.go -index 02c389635378..91b53cee7d0d 100644 ---- a/src/cmd/initContainer.go -+++ b/src/cmd/initContainer.go -@@ -393,6 +393,7 @@ func configureUsers(targetUserUid int, targetUser, targetUserHome, targetUserShe - "--groups", sudoGroup, - "--home-dir", targetUserHome, - "--no-create-home", -+ "--password", "", - "--shell", targetUserShell, - "--uid", fmt.Sprint(targetUserUid), - targetUser, -@@ -413,6 +414,7 @@ func configureUsers(targetUserUid int, targetUser, targetUserHome, targetUserShe - "--append", - "--groups", sudoGroup, - "--home", targetUserHome, -+ "--password", "", - "--shell", targetUserShell, - "--uid", fmt.Sprint(targetUserUid), - targetUser, -@@ -428,12 +430,6 @@ func configureUsers(targetUserUid int, targetUser, targetUserHome, targetUserShe - } - } - -- logrus.Debugf("Removing password for user %s", targetUser) -- -- if err := shell.Run("passwd", nil, nil, nil, "--delete", targetUser); err != nil { -- return fmt.Errorf("failed to remove password for user %s: %w", targetUser, err) -- } -- - logrus.Debug("Removing password for user root") - - if err := shell.Run("passwd", nil, nil, nil, "--delete", "root"); err != nil { --- -2.41.0 - diff --git a/toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch b/toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch index adf39a3..73b91f5 100644 --- a/toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch +++ b/toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch @@ -1,4 +1,4 @@ -From 1fde98456652ddbcb750ade2121c5ceec93fbfae Mon Sep 17 00:00:00 2001 +From 1cc9e07b7c36fe9f9784b40b58f0a2a3694dd328 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Thu, 13 Jul 2023 13:08:40 +0200 Subject: [PATCH] cmd/initContainer: Be aware of security hardened mount points @@ -54,7 +54,7 @@ https://github.com/containers/toolbox/issues/911 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/cmd/initContainer.go b/src/cmd/initContainer.go -index 465ac063b210..c4cd1b02d298 100644 +index 222aa42e1036..41b825b33f58 100644 --- a/src/cmd/initContainer.go +++ b/src/cmd/initContainer.go @@ -62,10 +62,10 @@ var ( diff --git a/toolbox.spec b/toolbox.spec index df2dd38..e40ad89 100644 --- a/toolbox.spec +++ b/toolbox.spec @@ -6,7 +6,7 @@ Version: 0.0.99.4 %global goipath github.com/containers/%{name} %gometa -Release: 6%{?dist} +Release: 5%{?dist} Summary: Tool for containerized command line environments on Linux License: ASL 2.0 @@ -18,7 +18,6 @@ Source1: %{name}.conf # Upstream Patch0: toolbox-Build-fixes.patch Patch1: toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch -Patch2: toolbox-Simplify-removing-the-user-s-password.patch # RHEL specific Patch100: toolbox-Make-the-build-flags-match-RHEL-s-gobuild.patch @@ -61,7 +60,6 @@ The %{name}-tests package contains system tests for %{name}. %setup -q %patch0 -p1 %patch1 -p1 -%patch2 -p1 %ifnarch ppc64 %patch100 -p1 @@ -127,10 +125,6 @@ install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/%{name}.conf %changelog -* Mon Oct 02 2023 Debarshi Ray - 0.0.99.4-6 -- Simplify removing the user's password -Resolves: RHEL-2038 - * Fri Aug 11 2023 Debarshi Ray - 0.0.99.4-5 - Be aware of security hardened mount points Resolves: #2144541