Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: Change ownership of /dev/std* #131

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

WIP: Change ownership of /dev/std* #131

wants to merge 1 commit into from

Conversation

JonathonReinhart
Copy link
Owner

@JonathonReinhart JonathonReinhart commented Mar 23, 2019
edited
Loading

This updates scubainit to change ownership of /dev/std* before switching users to the scubauser. This fixes the common case of #126, where scubauser cannot write to /dev/stdout:

$ scuba /bin/sh -c 'echo hello > /dev/stdout'
hello

Unfortunately this fix is not perfect, but I'm not sure that it can be.

If scuba's standard output is redirected to e.g. /dev/null, then scuba will not tell docker to create a tty. When this happens, scubainit ends up trying to call fchown on a fd that refers to /dev/null. This actually causes an AVC denial on Fedora 28. So I add the following check:

if (!isatty(fd))
    continue

This allows the following behaviors:

$ scuba /bin/sh -c 'echo hello > /dev/stdout' >/dev/null
/bin/sh: 1: cannot create /dev/stdout: Permission denied

$ scuba /bin/sh -c 'echo hello > /dev/stdout' | cat
/bin/sh: 1: cannot create /dev/stdout: Permission denied

However, I'm not entirely sure why:

$ scuba /bin/sh -c 'ls -l /proc/self/fd' | cat
total 0
lr-x------. 1 scubauser scubauser 64 Mar 23 20:24 0 -> pipe:[3630051]
l-wx------. 1 scubauser scubauser 64 Mar 23 20:24 1 -> pipe:[3630052]
l-wx------. 1 scubauser scubauser 64 Mar 23 20:24 2 -> pipe:[3630053]
lr-x------. 1 scubauser scubauser 64 Mar 23 20:24 3 -> /proc/9/fd

@codecov-io
Copy link

codecov-io commented Mar 23, 2019
edited
Loading

Codecov Report

Merging #131 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #131   +/-   ##
=======================================
  Coverage   94.95%   94.95%           
=======================================
  Files           9        9           
  Lines         615      615           
=======================================
  Hits          584      584           
  Misses         31       31

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8352625...feecfb6. Read the comment docs.

@JonathonReinhart JonathonReinhart mentioned this pull request Mar 23, 2019
Open
@github-actions
Copy link

Test Results

    5 files      5 suites   1m 59s ⏱️
161 tests 158 ✔️   2 💤 1
805 runs  790 ✔️ 10 💤 5

For more details on these failures, see this check.

Results for commit e4c1fed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JonathonReinhart @codecov-io