From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Leo Nunner <l.nunner@proxmox.com>
Subject: Re: [pve-devel] [PATCH v2 container] fix #4192: revamp check for systemd version
Date: Mon, 12 Sep 2022 16:01:00 +0200 [thread overview]
Message-ID: <49d3280a-3144-1411-3911-1f2138476116@proxmox.com> (raw)
In-Reply-To: <1662985982.t6rahmo5l4.astroid@nora.none>
Am 12/09/2022 um 14:41 schrieb Fabian Grünbichler:
>> Instead of iterating through several folders, it might just be easier to
>> check the ldd output of /sbin/init and getting the version from there.
>> Furthermore, the regex for checking the version has been adapted so that
>> it's more precise.
> ldd is not suited for this purpose for security reasons, since /sbin/init
> is a user/attacker-controlled binary in this case and we are only in a
> chroot while doing the setup, not really containerized. given a crafted
> container template/backup archive/.. this could execute arbitrary code.
>
> it's manpage suggests using
>
> objdump -p /path/to/binary
>
> and looking at the lines with "NEEDED", which seems to me should be fine
> for what we want to achieve here 😄
>
tbf, I suggested using something like ldd here, but I mostly meant if we actually
need to further extend this than simply checking three instead of two paths.
But I actually like the much shorter code, so from that POV it could be a nicer
option, but it makes us dependent on actually executing code from the CT archive,
which also assumes the availability of something like ldd or objdump, which may
not be the case in all templates?
Two small nits w.r.t. to the v2 still inline.
Am 12/09/2022 um 14:25 schrieb Leo Nunner:
> + my $version = undef;
> + PVE::Tools::run_command(
> + [
> + 'ldd',
> + '/sbin/init'
> + ],
you can put the array ref in one line, e.g., with Fabian relayed manpage
suggestion it'd be fine to do:
[ 'objdump', '-p', '/sbin/init' ],
> + outfunc => sub {
> + my $line = shift;
> + if ($line =~ /^\s*libsystemd-shared-(\d+)(?:\.[a-zA-Z0-9]*)?\.so/) {
> + $version = $1;
> + }},
> + errmsg => "ldd on /sbin/init failed"
above is missing a trailing comma, which would ensure that any possible addition of an
option in the future won't need to touch an unrelated line.
> + );
> +
> + return $version;
> }
next prev parent reply other threads:[~2022-09-12 14:01 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-12 12:25 Leo Nunner
2022-09-12 12:41 ` Fabian Grünbichler
2022-09-12 14:01 ` Thomas Lamprecht [this message]
2022-09-13 7:37 ` Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49d3280a-3144-1411-3911-1f2138476116@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=l.nunner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox