forked from humblec/gluster-containers
-
Notifications
You must be signed in to change notification settings - Fork 134
/
Copy pathexec-on-host.sh
executable file
·35 lines (29 loc) · 1.03 KB
/
exec-on-host.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#!/bin/sh
#
# Privilege escalation detection
# - run command on the host, instead of in the container
# - in case of misconfiguration, run the command in the container anyway
#
HOST_ROOTFS=${HOST_ROOTFS:-'/rootfs'}
HOST_ESCAPE="nsenter --root=${HOST_ROOTFS} --mount=${HOST_ROOTFS}/proc/1/ns/mnt --ipc=${HOST_ROOTFS}/proc/1/ns/ipc --net=${HOST_ROOTFS}/proc/1/ns/net --uts=${HOST_ROOTFS}/proc/1/ns/uts"
error() {
echo "${@}" > /dev/stderr
echo "Running command inside container: ${COMMAND}" > /dev/stderr
${COMMAND_FULL}
exit $?
}
COMMAND="${1}"
COMMAND_FULL="${*}"
# detect /-filesystem of the host
if [ ! -d "${HOST_ROOTFS}" ]
then
error "The /-filesystem of the host is not at ${HOST_ROOTFS}"
fi
# check if the HOST_ESCAPE works by running /bin/true on the host
if ! ${HOST_ESCAPE} /bin/true
then
error "Could not run a command on the host, falling back to run in container."
fi
echo "Running command on the host: ${COMMAND}" > /dev/stderr
# shellcheck disable=SC2086, arguments should not be escaped
exec ${HOST_ESCAPE} ${COMMAND_FULL}