On September 12, 2022 2:25 pm, Leo Nunner wrote:
> Instead of iterating through several folders, it might just be easier to
> check the ldd output of /sbin/init and getting the version from there.
> Furthermore, the regex for checking the version has been adapted so that
> it's more precise.
ldd is not suited for this purpose for security reasons, since /sbin/init
is a user/attacker-controlled binary in this case and we are only in a
chroot while doing the setup, not really containerized. given a crafted
container template/backup archive/.. this could execute arbitrary code.
it's manpage suggests using
objdump -p /path/to/binary
and looking at the lines with "NEEDED", which seems to me should be fine
for what we want to achieve here :)
>
> Signed-off-by: Leo Nunner <l.nun...@proxmox.com>
> ---
> This solution does actually feel cleaner than manually checking all the
> folders
> every time.
>
> src/PVE/LXC/Setup/Base.pm | 27 +++++++++++++++++----------
> 1 file changed, 17 insertions(+), 10 deletions(-)
>
> diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
> index cc12914..44b88d9 100644
> --- a/src/PVE/LXC/Setup/Base.pm
> +++ b/src/PVE/LXC/Setup/Base.pm
> @@ -514,19 +514,26 @@ sub clear_machine_id {
> }
> }
>
> -# tries to guess the systemd (major) version based on the existence of
> -# (/usr)?/lib/systemd/libsystemd-shared<version>.so. It was introduced in
> v231.
> +# tries to guess the systemd (major) version based on the
> +# libsystemd-shared<version>.so linked with /sbin/init
> sub get_systemd_version {
> my ($self) = @_;
>
> - my $sd_lib_dir = $self->ct_is_directory("/lib/systemd") ?
> - "/lib/systemd" : "/usr/lib/systemd";
> - my $libsd = PVE::Tools::dir_glob_regex($sd_lib_dir,
> "libsystemd-shared-.+\.so");
> - if (defined($libsd) && $libsd =~ /libsystemd-shared-(\d+)(?:\..*)?\.so/)
> {
> - return $1;
> - }
> -
> - return undef;
> + my $version = undef;
> + PVE::Tools::run_command(
> + [
> + 'ldd',
> + '/sbin/init'
> + ],
> + outfunc => sub {
> + my $line = shift;
> + if ($line =~ /^\s*libsystemd-shared-(\d+)(?:\.[a-zA-Z0-9]*)?\.so/) {
> + $version = $1;
> + }},
> + errmsg => "ldd on /sbin/init failed"
> + );
> +
> + return $version;
> }
>
> sub unified_cgroupv2_support {
> --
> 2.30.2
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
