From 3e3b44b68c737ac0c0680ff876a6e37e27c2ce14 Mon Sep 17 00:00:00 2001 From: Justin Kromlinger Date: Wed, 9 Dec 2020 23:32:23 +0100 Subject: [PATCH 1/3] Move sysusers call back to Dockerfile Resolves #52. Added small tests for user/group counts. --- .gitlab-ci.yml | 2 ++ Dockerfile.template | 1 + Makefile | 1 - 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 52634d4..4d00b8a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -151,6 +151,8 @@ image:publish:secure: - tags .test-script: &test-script + - test "$(cat /etc/group | wc -l)" -gt 10 + - test "$(cat /etc/passwd | wc -l)" -gt 10 - pacman -Sy - pacman -Qqk - pacman -Syu --noconfirm docker grep diff --git a/Dockerfile.template b/Dockerfile.template index 0320331..6cdf2f0 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -22,6 +22,7 @@ FROM scratch AS root COPY --from=verify /rootfs/ / RUN ldconfig +RUN sh -c 'ls usr/lib/sysusers.d/*.conf | /usr/share/libalpm/scripts/systemd-hook sysusers ' ENV LANG=en_US.UTF-8 CMD ["/usr/bin/bash"] diff --git a/Makefile b/Makefile index 21f3dc4..939c24a 100644 --- a/Makefile +++ b/Makefile @@ -19,7 +19,6 @@ define rootfs fakechroot -- fakeroot -- chroot $(BUILDDIR) update-ca-trust fakechroot -- fakeroot -- chroot $(BUILDDIR) locale-gen - fakechroot -- fakeroot -- chroot $(BUILDDIR) sh -c 'ls usr/lib/sysusers.d/*.conf | /usr/share/libalpm/scripts/systemd-hook sysusers' fakechroot -- fakeroot -- chroot $(BUILDDIR) sh -c 'pacman-key --init && pacman-key --populate archlinux && bash -c "rm -rf etc/pacman.d/gnupg/{openpgp-revocs.d/,private-keys-v1.d/,pubring.gpg~,gnupg.S.}*"' ln -fs /usr/lib/os-release $(BUILDDIR)/etc/os-release From c0e73cd9002779674cbf8a6883baaf49489c9119 Mon Sep 17 00:00:00 2001 From: Justin Kromlinger Date: Thu, 10 Dec 2020 19:01:18 +0100 Subject: [PATCH 2/3] Drop ls pipe for sysusers call It had no effect whatsoever anyway. --- Dockerfile.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.template b/Dockerfile.template index 6cdf2f0..904004d 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -22,7 +22,7 @@ FROM scratch AS root COPY --from=verify /rootfs/ / RUN ldconfig -RUN sh -c 'ls usr/lib/sysusers.d/*.conf | /usr/share/libalpm/scripts/systemd-hook sysusers ' +RUN /usr/share/libalpm/scripts/systemd-hook sysusers ENV LANG=en_US.UTF-8 CMD ["/usr/bin/bash"] From eb0c127ba6e8fbb5f4f62cf7772c8a9cc7e4d4c9 Mon Sep 17 00:00:00 2001 From: Santiago Torres Date: Thu, 10 Dec 2020 19:07:59 -0500 Subject: [PATCH 3/3] Makefile: use sysusers directly Instead of using the libalpm systemd-syusers hook, use sysusers directly. The --root parameter allows us to avoid using the host's namespace and populate using the conf files in the target's build directory. --- Dockerfile.template | 1 - Makefile | 3 +++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile.template b/Dockerfile.template index 904004d..0320331 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -22,7 +22,6 @@ FROM scratch AS root COPY --from=verify /rootfs/ / RUN ldconfig -RUN /usr/share/libalpm/scripts/systemd-hook sysusers ENV LANG=en_US.UTF-8 CMD ["/usr/bin/bash"] diff --git a/Makefile b/Makefile index 939c24a..9bbf83a 100644 --- a/Makefile +++ b/Makefile @@ -23,6 +23,9 @@ fakechroot -- fakeroot -- chroot $(BUILDDIR) update-ca-trust ln -fs /usr/lib/os-release $(BUILDDIR)/etc/os-release + # add system users + fakechroot -- fakeroot -- chroot $(BUILDDIR) /usr/bin/systemd-sysusers --root "/" + # remove passwordless login for root (see CVE-2019-5021 for reference) sed -i -e 's/^root::/root:!:/' "$(BUILDDIR)/etc/shadow"