root-tools/noshellinject

   1 #!/bin/bash
   2
   3 # This script, noshellinject, creates a mount namespace,
   4 # in which common shell commands (/bin/sh, /bin/bash, ...) are bind-mounted over with "notashell".
   5 #
   6 # Using notashell(1) is supposed to prevent shell-injections.
   7 #
   8 # notashell(1) bypasses shell only when the program, which is called by noshellinject, does
   9 # directly execute an over-mounted shell (notashell switches NOTASHELL_INTERCEPT environment off).
  10 # So in your untrusted-argument-validator script and any of its subprocesses,
  11 # sh(1)/bash(1) may be called at your convenience.
  12 # This is safe, because it's your control what you pass to them from the validator.
  13 #
  14 # One notable thing in its mechanics is that this re-enablement of real shells
  15 # is done not by switching back to the original mount namespace,
  16 # because the neglegent program (which calls system(3) inconsiderately) may
  17 # switch privilege level so its child process can not switch namespaces,
  18 # but by keep calling notashell(1) in guise of sh(1)/bash(1)
  19 # but no longer having NOTASHELL_INTERCEPT makes notashell(1) call the real boys
  20 # from /var/lib/notashell where they were previously saved (bind-mounted).
  21 # Therefore, don't allow users to change NOTASHELL_INTERCEPT environment either.
  22
  23 set -e
  24
  25 # where to save (bind-mount) read shell executables from /bin
  26 real_shells_dir=/var/lib/notashell
  27 # may extend if the neglegent program calls something else as shell
  28 shellnames=(sh dash bash)
  29
  30 propagtype()
  31 {
  32         findmnt --noheadings --output PROPAGATION "$1"
  33 }
  34
  35 if [ "$1" = --inner ]
  36 then
  37         mkdir -p "$real_shells_dir"
  38         # bind-mount this dir over itself to be able to make private mounts under it
  39         mount --bind "$real_shells_dir" "$real_shells_dir"
  40         mount --make-private "$real_shells_dir"
  41
  42         for shell in "${shellnames[@]}"
  43         do
  44                 # can bind-mount existing paths only
  45                 [ -f "$real_shells_dir/real-$shell" ] || true > "$real_shells_dir/real-$shell"
  46                 # save the real shell for later use
  47                 mount --bind /bin/$shell "$real_shells_dir/real-$shell"
  48         done
  49
  50         # after sub-mounts are mounted, clean up the parent mount from the parent namespace
  51         nsenter -t $PPID -m umount -l "$real_shells_dir"
  52
  53         # bind-mount this dir over itself to be able to make private mounts under it
  54         mount --bind /bin /bin
  55         mount --make-private /bin
  56
  57         # over-mount shells to be able to intercept "sh -c commandLine" type calls
  58         for shell in "${shellnames[@]}"
  59         do
  60                 mount --bind /usr/tool/notashell /bin/$shell
  61         done
  62
  63         # after sub-mounts are mounted, clean up the parent mount from the parent namespace
  64         nsenter -t $PPID -m umount -l /bin
  65
  66         shift
  67         export NOTASHELL_INTERCEPT=1
  68         exec "$@"
  69 else
  70         propagation=`propagtype /`
  71         if [ "$propagation" != shared ]
  72         then
  73                 echo "$0: mount events propagation of the root directory is $propagation, not shared." >&2
  74                 exit 1
  75         fi
  76
  77         exec unshare --mount --propagation=shared -- "$0" --inner "$@"
  78 fi