Ensure that the concatenated path stays within the container and untaint it to make it callable from other hooks that run in taint mode and would otherwise get an "Insecure dependency in exec" error.
Signed-off-by: Robert Obkircher <[email protected]> --- src/PVE/LXC/Setup/Base.pm | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm index 12e3097..bd595ab 100644 --- a/src/PVE/LXC/Setup/Base.pm +++ b/src/PVE/LXC/Setup/Base.pm @@ -604,9 +604,16 @@ sub clear_machine_id { sub get_systemd_version { my ($self, $init) = @_; + my $binary = abs_path($self->{rootdir} . $init); + if ($binary =~ /(^\Q$self->{rootdir}\E.*)/) { + $binary = $1; # untainted + } else { + die "Could not construct path to systemd binary: $self->{rootdir}, $init"; + } + my $version = undef; PVE::Tools::run_command( - ['objdump', '-p', $self->{rootdir} . $init], + ['objdump', '-p', $binary], outfunc => sub { my $line = shift; if ($line =~ /libsystemd-shared-(\d+)(?:[-_.][a-zA-Z0-9]+)*\.so:?$/) { -- 2.47.3 _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
